JP2010176431A - Program, method and apparatus for access control - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent information leakage due to reuse of information by a user who has an access right. <P>SOLUTION: An application monitoring part 106 monitors and captures specified processing such as copying and pasting performed by an OS 102 or an application 103 in order to reuse the contents of a protected document stored in a document storage area 101. When the specified processing is captured, a control part 107 performs various kinds of processing for setting a second access right taking over a first access right to a second document reusing the contents of a first document to which the first access right is set. For instance, a shared memory control part 111 manages the fact that the contents of the first document are reused in the second document through a shared memory 104 using a takeover management table 108. Then, a file preservation control part 110 refers to the takeover management table 108 and sets the second access right based on the first access right to the second document. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a technique for preventing leakage of the contents of an electronic document.

  In recent years, a lot of information has become electronic documents, and the importance of protecting electronic documents including confidential information has increased. Therefore, various access control techniques have been developed to prevent leakage of the contents of electronic documents.

  For example, according to one method, an operation request from a process or operating system for a computer resource is captured before accessing the computer resource. Then, it is determined whether or not there is an access right to the computer resource designated by the captured operation request.

  As a result of the determination, if there is an access right, the operation request is passed to the operating system, and the result is returned to the request source process. If the result of determination is that there is no access authority, the operation request is rejected.

  According to another method, information on a business application that permits access to a confidential file is registered in the management server in advance. The registered application information is distributed to each client as needed.

  When referring to a confidential file in a business application, application authentication is performed to determine whether the application is registered in advance in the server when the business application is activated. Only when the application authentication is passed, own process information is registered in the I / O capturing module. The I / O acquisition module permits access to confidential information only for processes that match the registered process information, and denies access otherwise.

  Furthermore, a file providing method for providing file data corresponding to the access authority of the access source is also known. In this file provision method, access authority is set for each data in a predetermined area of the file, data satisfying the access authority of the access source is concatenated by a predetermined combination, and the concatenated data is provided to the access source It is a method to do.

  Also known is a technique for preventing the protection data from being taken out of the computer system via the clipboard. For example, an information leakage prevention device having a writing unit and a pasting unit both having access rights to a protection target folder is known.

  When the writing unit writes the operation target data stored in the protection target folder to the clipboard in the main storage device, it encrypts the data using the encryption key associated with the protection target folder. Write data to the clipboard. When pasting the encrypted data written on the clipboard into a file stored in the auxiliary storage device, the pasting unit decrypts the encrypted data and pastes it into the file.

JP 2007-48310 A JP 2007-128205 A JP 2007-18066 A JP 2006-155155 A

As described above, there are various technologies for preventing information leakage. However, there is room for improvement in technology for preventing information leakage caused by reuse of information by a user having access rights.
Accordingly, an object of the present invention is to prevent information leakage due to reuse of information by a user having access rights.

  According to one aspect of the present invention, an access control program is provided. The access control program is a program that causes a computer to execute a capturing step, a setting step, and a storing step.

  In the capturing step, the content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents, Monitoring and capturing one or more processes performed when the document is reused.

  In the setting step, when the one or more processes are captured in the capturing step, a second access right based on the first access right is updated in the second electronic document by updating the access right information. It is a step to set.

The storing step is a step of encrypting and storing the second electronic document.
According to another aspect of the present invention, there is provided an access control method executed by a computer according to the access control program. According to still another aspect of the present invention, an access control apparatus for executing the access control method is provided.

  According to the disclosed technology, when the content included in the first electronic document is reused in the second electronic document, the second access right based on the first access right of the first electronic document is changed to the first access right. It is automatically set to the second electronic document. Therefore, it is possible to prevent the content included in the first electronic document from leaking to an unspecified person via the second electronic document.

It is a system configuration figure of a 1st embodiment. It is a figure which shows an example of an effect | action of 1st Embodiment. It is a figure which shows an example of the inheritance of the access right by 1st Embodiment. It is a figure which shows an example of the inheritance management table of 1st Embodiment. It is a figure which shows an example of the access right management table of 1st Embodiment. It is a flowchart when copying the whole document in 1st Embodiment. It is a flowchart when copying the data in a document in 1st Embodiment. It is a flowchart when pasting data on a document in the first embodiment. It is a flowchart when preserve | saving a document in 1st Embodiment. It is a timing chart which shows an example of an effect | action of 1st Embodiment. It is a system configuration figure of a 2nd embodiment. It is a figure which shows an example of the access right information stored in a document in 2nd Embodiment. It is a flowchart when copying the whole document in 2nd Embodiment. It is a flowchart when preserve | saving a document in 2nd Embodiment. It is a figure which shows an example of the access right management table of 3rd Embodiment. 12 is a flowchart for copying an entire document in the third embodiment. It is a flowchart when preserve | saving a document in 3rd Embodiment. It is a flowchart of the process which changes an access right in cascade in 3rd Embodiment. It is a figure which shows the data reuse relationship between documents in 3rd Embodiment. It is a figure which shows progress which the access right changes in cascade in 3rd Embodiment. It is a block diagram of a computer.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. First, the first embodiment will be described with reference to FIGS. 1 to 10, the second embodiment will be described with reference to FIGS. 11 to 14, and then the second embodiment will be described with reference to FIGS. The third embodiment will be described, and finally other modified examples will be described.

FIG. 1 is a system configuration diagram of the first embodiment. In the system of FIG. 1, a computer 100 is connected to an access right management server 300 via a network 200.
The access right management server 300 has an access right management table 301 that stores access right information used for user-specific access control to an electronic document including contents to be protected. In this embodiment, an electronic document including contents to be protected is protected by encryption and setting of access rights.

  In the following description, the term “content” or “information” is used to focus on the content itself, regardless of the data format, and is distinct from the specific “data” that represents the information. To do. For example, the content to be protected should always be protected no matter what form of data it represents.

  Further, although details will be described later with reference to FIG. 5, in this embodiment, the access right information included in the access right management table 301 is classified by user and application for access control at a finer granularity than mere user-specific access control. Separately represents access rights.

  The electronic document managed by the access right management table 301 is an electronic document stored in the computer 100 in this embodiment. However, a file server (not shown) or an external storage device may be further connected to the network 200, and an electronic document stored in the file server or the external storage device may be further managed by the access right management table 301. .

  Hereinafter, the electronic document may be simply referred to as “document”. The content and format of the document are arbitrary. For example, a document can include various contents represented by text, spreadsheets, graphics, images, audio, and the like.

  The computer 100 is an arbitrary computer such as a PC (Personal Computer) or a workstation. The computer 100 has a document storage area 101 realized by a nonvolatile storage device such as a hard disk device. The document storage area 101 stores a wide variety of document files. Some documents stored in the document storage area 101 include contents to be protected, and some documents do not need to be protected.

  In addition, an OS (Operating System) 102 and one or more applications 103 are installed in the computer 100, and the computer 100 operates according to the OS 102. The OS 102 provides a file system, an API (Application Programming Interface), and other basic functions. The user accesses a document stored in the document storage area 101 via the OS 102 or the application 103.

  In addition, the OS 102 enables data reuse via the shared memory 104. For example, the OS 102 provides a clipboard using the shared memory 104, and realizes copy and paste and cut and paste functions. In addition to the clipboard, the shared memory 104 may be used for sharing data between processes. Therefore, the content included in the first document may be reused in the second document via the shared memory 104.

  The OS 102 may further provide a function for taking a screen shot. When an input for taking a screen shot is made, the OS 102 may store the image data of the screen shot in the shared memory 104 as a clipboard. Thereby, it is possible to paste the image data of the screen shot into an arbitrary document.

  The computer 100 according to the present embodiment further includes an access control unit 105. The access control unit 105 includes an application monitoring unit 106 that monitors the application 103 and a control unit 107 that performs various types of control necessary for inheriting access rights. The control unit 107 includes an inheritance management table 108, a file open control unit 109, a file storage control unit 110, and a shared memory control unit 111. The shared memory control unit 111 includes a write control unit 112 and a pasting control unit 113.

  The application monitoring unit 106 monitors and captures a specific type of request from the application 103 to the OS 102. For example, the application monitoring unit 106 catches a request from the application 103 to the OS 102 by hooking an API function call from the application 103. The application monitoring unit 106 sends the captured request to each unit in the control unit 107.

  The application monitoring unit 106 according to the present embodiment further monitors and captures the response of the OS 102 to a specific type of request from the application 103. For example, the application monitoring unit 106 may capture the return value of the API function. The application monitoring unit 106 sends the captured response to each unit in the control unit 107.

As will be described in detail later, the application monitoring unit 106 also monitors some processes performed by the OS 102.
The control unit 107 performs control necessary for inheriting access rights between documents according to the processing captured by the application monitoring unit 106.

  Hereinafter, when the first access right is set for the first electronic document, setting the second access right to the second electronic document based on the first access right is referred to as the first electronic document. This is called inheritance of the access right from the document to the second electronic document.

  The access right may be inherited from one electronic document or may be inherited multiple times from a plurality of electronic documents. That is, for one electronic document corresponding to “child” in inheritance, one or more electronic documents corresponding to “parent” exist.

  In the present embodiment, when the first electronic document to be protected exists and the content included in the first electronic document is reused in the second electronic document, the control unit 107 starts from the first electronic document. The access right is controlled so that the access right is inherited to the second electronic document. The first and second electronic documents are stored in the document storage area 101.

  Note that the second document corresponding to the “child” in the inheritance is the same as the first access right set in the first electronic document corresponding to the “parent” in the inheritance or more strongly restricted than the second access right. Access rights are set. This is because the leakage of information is surely prevented when the contents of the first electronic document are reused. An example of how the second access right is specifically set based on the first access right will be described later.

Note that there are various ways in which the content included in the document, that is, the information included in the document is reused, and can be classified from the following viewpoints (a1) to (a3).
(A1) Whether only a part of the contents included in the first electronic document is reused in the second electronic document, or all the contents included in the first electronic document are reused in the second electronic document. Viewpoint of whether it is used.

  (A2) Whether the content is directly reused from the first electronic document to the second electronic document or indirectly through one or more other electronic documents Whether the content is reused from the first to the second electronic document.

  (A3) Whether the content to be reused is represented by the same format data in the first electronic document and the second electronic document, or the format of the data representing the same content is the first electronic document and the second electronic document Whether it is different in different electronic documents.

  For example, from the viewpoint of (a2), even when the content of the first electronic document is directly reused in the second electronic document, the content of the first electronic document is the following (b1) It can be reused in various ways as in (b6).

(B1) The first electronic document is copied by the OS 102 and stored as the second electronic document.
(B2) The first electronic document is opened by the application 103 and saved as a second electronic document by a menu such as “Save As”.

(B3) Data is copied and pasted or cut and pasted from the first electronic document to the second electronic document.
(B4) Data is exported from the first electronic document to the second electronic document.

  (B5) A screen shot is taken in a situation where the first electronic document is opened by the application 103 and the content of the first electronic document is displayed by a GUI (Graphical User Interface). Then, the image data of the screen shot is pasted on the second electronic document.

  (B6) A part or all of the first electronic document is stored as a new second electronic document by using input / output redirection or a pipe together with one or more commands via CLI (Command Line Interface). Or added to an existing second electronic document.

Each of (b2) to (b6) can be further classified from the viewpoint of (a1) or (a3).
For example, (b3) is further classified from the viewpoint of (a1) according to the copy range. Further, in the application 103 in which the data format can be selected in the menu such as saving, pasting, and importing, (b2) to (b4) are selected from the viewpoint of (a3) according to the data format selected from the menu. Further classified.

  In (b5), the information of the same content is often reused in different data formats from the viewpoint of (a3). For example, information that was originally expressed in a text format may be expressed and reused as screen shot image data.

  Hereinafter, the cases (b1) and (b3) will be mainly described in detail. However, (b1) to (b6) are common in that the content included in the first electronic document is reused in the second electronic document by one or more processes of the OS 102 or the application 103. . Therefore, in any case of (b1) to (b6), access right inheritance can be realized by a method described below or a method obtained by appropriately modifying the following method.

  That is, the application monitoring unit 106 monitors and captures one or more processes performed when the content included in the first electronic document to be protected is reused in the second electronic document. Then, the control unit 107 causes the access right to be inherited from the first electronic document to the second electronic document in accordance with the captured process.

  In other words, the application monitoring unit 106 performs one when the content included in the first electronic document to be protected is reused in the second electronic document by any one of (b1) to (b6), for example. The above processing is monitored. For example, regarding the reuse of information by copy and paste, the application monitoring unit 106 monitors and captures a request or response associated with copying and a request or response associated with pasting. As a result, the control unit 107 can recognize that the content included in the first electronic document has been reused in the second electronic document.

  As described in detail with reference to FIG. 4, the inheritance management table 108 associates the first electronic document with the second electronic document, so that “the contents included in the first electronic document are reproduced in the second electronic document. 1st inheritance management information indicating "used" is included. Precisely, the first inheritance management information indicates indefinite reuse.

  The first electronic document that originally contained the reused content is the parent in the inheritance of the access right, and the second electronic document to which the content has been reused is the child in the inheritance of the access right.

  A file open control unit 109 performs control when opening a file of an electronic document stored in the document storage area 101. Details of the operation of the file open control unit 109 will be described later with reference to FIG.

  The file storage control unit 110 performs control when storing an open electronic document file in the document storage area 101. Details of the operation of the file storage control unit 110 will be described later with reference to FIGS.

The shared memory control unit 111 performs control when access to the shared memory 104 occurs. Specifically, the write control unit 112 included in the shared memory control unit 111 performs control when data is written to the shared memory 104. In addition, the pasting control unit 113 included in the shared memory control unit 111 performs control when data is read from the shared memory 104 and pasted into the electronic document. Details of operations of the writing control unit 112 and the pasting control unit 113 will be described later with reference to FIGS.

  As will be described later, the file open control unit 109, the file storage control unit 110, the write control unit 112, and the paste control unit 113 execute control with reference to the access right management table 301 via the access right management server 300. To do. Further, the file storage control unit 110 may change the access right management table 301 via the access right management server 300.

  For example, the computer 100 may be configured as a computer 500 shown in FIG. In this case, the access control unit 105 including the above-described units is realized as middleware by a CPU (Central Processing Unit) 501 in FIG. 21 loading and executing a program in a RAM (Random Access Memory) 503 in FIG. . One of the advantages of the access control unit 105 being realized as middleware is that it is possible to realize access right inheritance by the processes shown in FIGS. 6 to 9 without changing the existing OS 102. is there.

  The inheritance management table 108 is realized by the RAM 503. Communication with the access right management server 300 for referring to and changing the access right management table 301 is performed via the communication interface 504 in FIG.

Next, an overview of access right inheritance by the system of FIG. 1 will be described using the examples of FIGS. Thereafter, specific control will be described with reference to FIGS.
FIG. 2 is a diagram illustrating an example of the operation of the first embodiment. FIG. 2 is a diagram for explaining the outline of the operation of the system of FIG. 1 when information is reused by copy and paste.

  In FIG. 2, the document D1 includes information to be protected, and thus an access right is set. In the example of FIG. 2, for the sake of simplification of explanation, a read authority is explained as an example of the access right, and only a specific user U (not shown) has the authority to read the document D1 by the application 103.

  In order to protect the information, the document D1 is encrypted and stored in the document storage area 101. In FIG. 2, the encryption is indicated by a key mark. Hereinafter, an access right is set by the access right management table 301 and an encrypted document is referred to as a “protected document”. A document for which no access right is set by the access right management table 301 and which is not encrypted is referred to as an “unprotected document”.

  An encrypted format is called a “protected format”, and an unencrypted format is called an “unprotected format”. The encryption algorithm used in the protection format is arbitrary. The definition of the protected document will be described again with reference to FIG.

  On the other hand, the document D2 originally does not include information to be specifically protected. Therefore, the document D2 is stored in the document storage area 101 without being encrypted. Further, access to the document D2 is not restricted, that is, an arbitrary user has read authority and write authority for the document D2.

When the user U opens the document D1 from the application 103, the application 103 decrypts the document D1.
Here, it is assumed that the object X is focused on as an example of data included in the document D1, and the object X is copied and pasted into the document D2 via the clipboard realized by the shared memory 104. The object X may be text, an image, or any other object.

  In this case, if the control by the access control unit 105 is not performed, an arbitrary user can know the contents of the object X that should be protected in the document D1 through the unencrypted document D2. I will be able to do it. That is, there is a risk that information represented by the object X is leaked.

As described above, merely controlling access to the document D1 is insufficient to prevent information leakage through another document caused by the operation of the user U having the access right to the document D1.
Therefore, in this embodiment, even when the object X is copied and pasted from the document D1 to the document D2, access control is performed so that the information represented by the object X is not leaked through the document D2. The unit 105 performs control. That is, the access control unit 105 performs control to restrict access to the document D2 by inheriting the access right of the document D1 to the document D2 and prevent information leakage from the document D2.

Details of the control by each unit in the access control unit 105 will be described later with reference to FIGS. 4 to 10. The outline of the operation of the access control unit 105 will be described as follows.
When the object X is copied from the document D1 to the clipboard, the access control unit 105 encrypts the object X and adds the access right information of the document D1 to the object X. Then, when the object X is to be pasted on the document D2, the access control unit 105 determines whether or not the pasting may be executed.

  In the example of FIG. 2, it is assumed that the document D2 is opened by the application 103 executed with the authority of the user U. Further, the access right information of the document D1 is added to the object X. That is, the right to read the object X from the application 103 is given to the user U by the access right information of the document D1.

  Therefore, the access control unit 105 determines that “the combination of the user U who has opened the document D2 and the application 103 has the read authority for the object X and the write authority for the document D2, so that the pasting may be executed”. . In this determination, the access control unit 105 refers to the access right management table 301.

If the access control unit 105 determines that “paste may be performed”, the access control unit 105 decrypts the encrypted object X on the clipboard and pastes it in the document D2.
Then, the access control unit 105 performs a process for reflecting the access right information added to the object X, that is, the access right information of the document D1, in the access right information of the document D2. In other words, the access control unit 105 stores the relationship that “the document D2 should inherit the access right of the document D1” when the object X is pasted.

  When the document D2 to which the object X is pasted is about to be saved, the access control unit 105 associates the access right information inherited from the document D1 with the document D2 based on the stored relationship, and manages the access right. Register in the table 301. Also, the access control unit 105 encrypts the document D2 and stores it in the document storage area 101.

With the above control, when the object X is copied and pasted from the document D1 to the document D2, the access right is inherited from the document D1 to the document D2. For example, when only the user U has the authority to read the document D1, as a result of inheritance, only the user U has the authority to read the document D2. Therefore, the risk that the information represented by the object X is leaked to other users who do not have the authority to read the document D1 via the document D2 is avoided.

FIG. 3 is a diagram illustrating an example of access right inheritance according to the first embodiment. In FIG. 3, for the sake of simplicity of explanation, a read authority among access authorities will be described as an example.
In the example of FIG. 2, it is assumed that only the user U has the authority to read the document D1 for the sake of simplicity. However, it is common that a plurality of users have the authority to read the same document. In the example of FIG. 2, only the document D1 corresponds to the parent when viewed from the document D2 corresponding to the child in the inheritance of the access right. However, access rights may be inherited from multiple parents.

  In the example of FIG. 3, only the users U1, U2, and U3 have the authority to read the document D11, and only the users U1 and U2 have the authority to read the document D12. Originally, only users U2 and U3 have the authority to read document D13. That is, any of the documents D11 to D13 for which read authority is set is a protected document.

  FIG. 3 illustrates what access rights the access control unit 105 should set to the document D13 when both pieces of information of the documents D11 and D12 are reused in the document D13. In other words, FIG. 3 illustrates how access rights should be inherited from documents D11 and D12 to document D13.

That is, the access right of the document D13 after reusing information from the documents D11 and D12 needs to satisfy all of the following (c1) to (c3).
(C1) It is equivalent to the access right of the document D11 or more strictly limited than the access right of the document D11.

(C2) It is equivalent to the access right of the document D12 or more strictly limited than the access right of the document D12.
(C3) It is equivalent to the access right of the original document D13 before the information is reused or is more strictly limited than the access right of the original document D13 before the information is reused.

  For example, the setting that “no user has the authority to read the document D13 after the information is reused” satisfies all of (c1) to (c3), but is more restrictive than necessary. Therefore, for example, the access control unit 105 applies the least restrictive setting to the new document D13 after the information is reused under the condition that all of (c1) to (c3) are satisfied. .

  In the example of FIG. 3, the user U1 does not have the authority to read the original document D13, the user U3 does not have the authority to read the document D12, and the other users other than the users U1 to U3 have the documents D11, D12, and the original document D13. There is no authority to read the document D13. Accordingly, the access control unit 105 sets the access right information so that only the user U2 has the right to read the document D13 after the information is reused.

In the above description, for the sake of simplicity, only inheritance of read authority is illustrated, but other types of access rights such as write authority are inherited in the same manner.
Next, the access right inheritance whose outline is illustrated in FIGS. 2 and 3 will be described in detail with reference to FIGS.

FIG. 4 is a diagram illustrating an example of the inheritance management table according to the first embodiment. In the present embodiment, the inheritance management table 108 provided in the control unit 107 in the access control unit 105 includes one or more direct or indirect IDs (identifiers) of documents currently opened by the application 103 as shown in FIG. Is a table associated with the ID of the copy source document. The document ID is a specific example of identification information for identifying an electronic document.

  In the following, when data included in the first document is copied and pasted or cut and pasted into the second document and reused, the first document is referred to as a “copy source document”. The second document is called “copy destination document”. The copy source document is a parent in the inheritance of access rights, and the copy destination document is a child.

  The left column in FIG. 4 indicates the ID of the open document, the right column indicates the ID of the copy source document, and the left column and the right column have a one-to-n relationship. As will be described later, the inheritance management table 108 is dynamically updated. Further, the document ID of the protected document or the non-protected document is recorded in the left column of FIG. 4, and only the ID of the protected document is recorded in the right column.

  For example, a document with a document ID “DOC1” is simply referred to as “document DOC1”. Conversely, the notation “document DOC1” implies that the document ID is “DOC1”.

  According to FIG. 4, the document ID “DOC1” is associated with the document ID “DOC2”. That is, FIG. 4 shows that the document DOC1 includes information reused from the protected document DOC2. FIG. 4 does not indicate whether the document DOC1 is a protected document or an unprotected document.

  FIG. 4 shows that the document DOC3 includes information reused from the protected document DOC4, and the protected document DOC4 includes information reused from the protected document DOC5. Therefore, there is a possibility that the document DOC3 reuses the information of the protected document DOC5 indirectly through the protected document DOC4.

  In this embodiment, when there is a possibility of indirect reuse as described above, it is said that “document DOC5 is an indirect copy source document of document DOC3”. If there is a possibility of indirect reuse, the inheritance management table 108 associates not only the document ID “DOC4” but also the document ID “DOC5” with the document ID “DOC3” as shown in FIG. I remember it.

  The possibility of indirect reuse is different from the fact that information is actually indirectly reused. For example, information that is not reused from the protected document DOC5 among the information included in the protected document DOC4 may be reused by the document DOC3 from the protected document DOC4.

  In this case, the information of the protected document DOC5 is not actually reused in the document DOC3. However, from the above definition, the document DOC5 is an indirect copy source document of the document DOC3. The reason why the indirect copy source document is defined as described above is that the granularity of management in inheritance of access rights is in units of documents.

FIG. 4 also shows that both the protected document DOC6 and the protected document DOC7 are currently open and are reusing information with each other.
That is, in FIG. 4, the protected document DOC6 is both a copy source document and a copy destination document of the protected document DOC7. Similarly, the protected document DOC7 is both a copy source document and a copy destination document of the protected document DOC6.

Therefore, between the protected document DOC6 and the protected document DOC7, the parent-child relationship in inheritance of the access right is also cyclic. For example, the protected document DOC6 is an ancestor and a descendant of the protected document DOC6 itself. Such a cyclic relationship also occurs when information on each other is reused in three or more documents.

  In the present embodiment, when a cyclic relationship occurs, the inheritance management table 108 prevents the “open document ID” itself in the left column from being stored in the right column as the “copy source document ID” itself. Is controlled by the process shown in FIG.

Next, the access right management table 301 will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of an access right management table according to the first embodiment.
In FIG. 5, the access right management table 301 includes a “document ID” column, a “user ID or group ID” column, an “application ID that can handle protected documents” column, and an “authority” column. The access right management table 301 associates access right information represented by a combination of a “user ID or group ID” column, an “application ID that can handle protected documents” column, and an “authority” column with each document ID. The access right information is sometimes called AC (Access Control) information.

  In the present embodiment, the document whose document ID is registered in the “document ID” column of the access right management table 301 is only the protected document described with reference to FIG. As described above, since the protected document includes information to be protected, an access right is set, encrypted, and stored in the document storage area 101 of FIG.

  That is, the access right management table 301 is a table for managing the access rights for each user and each application set for each protected document, and does not manage anything for unprotected documents.

  In the example of FIG. 5, the “user ID or group ID” column includes only the IDs of users or groups that can access the protected document. The “application ID that can handle protected documents” includes only the IDs of applications that are allowed to be used when those users or groups access the protected documents. In the “authority” column, operations permitted to be executed by those applications are stored.

  In this embodiment, as will be described later, the access right management server 300 issues a document ID based on a request from the file storage control unit 110 or the write control unit 112. The access right management server 300 manages the document index information for identifying a document in association with the issued document ID. For example, the document index information may be a file name including a path in the document storage area 101 or an identification number for uniquely identifying a file on the file system provided by the OS 102.

  In the following, similarly to the notation relating to the document, for example, a user with a user ID of “USER1” is simply expressed as “user USER1”, and a user group with a group ID of “GROUP1” is simply expressed as “group GROUP1”. Similarly, for example, an application having an application ID “APP-U1-1” is simply referred to as “application APP-U1-1”.

  In FIG. 5, in the “authority” column, the read authority (that is, browsing authority) is represented as “Read”, the write authority (that is, editing authority) is represented as “Write”, and the print authority is represented as “Print”. Yes. Other types of rights, such as delete rights, may be further defined.

According to FIG. 5, for example, the application APP- activated by the user USER1
When U1-1 accesses the document DOC1, reading of the document DOC1 is permitted, but writing to the document DOC1 and printing of the document DOC1 are not permitted. When another application APP-U1-2 started by the same user USER1 accesses the same document DOC1, reading of the document DOC1 and writing to the document DOC1 are permitted.

  Similarly, access right information is defined for other users such as the user USER2 and user groups such as the group GROUP1. A set of these access right information expressed by a combination of the user ID or group ID, the application ID, and the authority is associated with the document DOC1.

  Note that the access right management table 301 of FIG. 5 is represented in a form without authority unless explicitly specified. For example, regarding the case where the application APP-U1-1 activated by the user USER1 accesses the document DOC1, the absence of an explicit designation of “Write” in the “authority” column indicates that there is no writing authority. However, for each type of authority, for example, a format that explicitly expresses that there is no authority using a flag is also possible.

  The access right management table 301 in FIG. 5 described above is referred to via the access right management server 300 from the file open control unit 109, the file storage control unit 110, the write control unit 112, and the paste control unit 113 in FIG. Or changed.

  For example, when the application 103 requests the OS 102 to open a document, the application monitoring unit 106 captures the request. Since the captured request is an open request for opening a document, the application monitoring unit 106 notifies the file open control unit 109 of the captured open request.

  The open request includes document index information that identifies a document to be opened. The application monitoring unit 106 also detects the application ID of the application 103 that issued the open request and the user ID of the user who started the application 103 and notifies the file open control unit 109 together with the open request. The document index information may be, for example, a file name including a path in the document storage area 101 or an identification number such as an inode number for identifying a file on the file system provided by the OS 102.

  When the open request is notified, the file open control unit 109 determines whether to open the document in response to the open request by referring to the access right management table 301 via the access right management server 300. .

  That is, the file open control unit 109 checks with the access right management server 300 whether a document ID corresponding to the document index information included in the open request exists and is registered in the access right management table 301. Request that. If the document ID corresponding to the document index information exists and is registered in the access right management table 301, the open request relates to the protected document. If the document ID corresponding to the document index information does not exist or is not registered in the access right management table 301 even if it exists, the open request relates to an unprotected document.

  Further, in the case of an open request relating to a protected document, the file open control unit 109 further requests the access right management server 300 to check whether or not the following (d1) and (d2) are associated in the access right management table 301. To do.

(D1) Document ID of the protected document for which an open request has been issued.
(D2) Access right information represented by a combination of the user ID (or the group ID of the group to which the user ID belongs) and the application ID notified together with the open request and the read authority.

  The access right management server 300 refers to the access right management table 301 according to the request from the file open control unit 109, and returns one of the following responses (e1) to (e3) to the file open control unit 109.

(E1) The open request relates to an unprotected document.
(E2) The open request relates to a protected document. The read authority for the requested protected document is given to the combination of the user ID and the application ID notified together with the open request.

  (E3) The open request relates to a protected document. The read authority for the requested protected document is not given to the combination of the user ID and the application ID notified together with the open request.

  When the response (e1) is obtained from the access right management server 300, the file open control unit 109 determines that the open request may be accepted, and notifies the OS 102 of the open request. The OS 102 opens an unprotected document in accordance with the open request and provides an interface for accessing the opened unprotected document to the application 103. For example, the OS 102 can provide an interface by returning a file handle to the application 103.

  When the response (e2) is obtained from the access right management server 300, the file open control unit 109 determines that the open request may be accepted, converts the requested protected document into an unprotected format, and opens it. That is, the file open control unit 109 decrypts and opens the encrypted protected document. The file open control unit 109 provides the application 103 with an interface such as a file handle for accessing the decrypted and opened protected document.

  For example, it is assumed that the application APP-U1-1 started by the user USER1 and executed under the authority of the user USER1 issues an open request to open the protected document DOC1. In this case, as shown in FIG. 5, since the read authority is given, the file open control unit 109 obtains a response (e2).

  When the response (e3) is obtained from the access right management server 300, the file open control unit 109 determines that the open request should not be accepted, and returns, for example, an error code to the application 103.

  The process in which the file storage control unit 110, the write control unit 112, and the pasting control unit 113 refer to or change the access right management table 301 in FIG.

  Next, the operation of the system of FIG. 1 using the information of FIGS. 4 and 5 will be described with reference to FIGS. Since there is no possibility of confusion, the terms “copy source document” and “copy destination document” are used only with respect to FIG. 6 in a meaning slightly different from that defined with respect to FIG. Is re-used in the destination document.

FIG. 6 is a flowchart for copying the entire document in the first embodiment. When the first document, which is a protected document, is copied as the second document, the contents of the first document are reused as a whole in the second document. Therefore, the access control unit 105 in FIG. 1 prevents information from leaking from the second document by the processing in FIG.

In step S101, a document copy request to the OS 102 (hereinafter referred to as “document copy request”) is generated.
For example, when a document icon displayed by the GUI provided by the OS 102 is selected, a menu for creating a copy in a designated folder is selected, and a folder is designated, a document copy request is generated.

A document copy request is also generated when a command for copying a file is input in the CLI.
In the next step S102, the OS 102 copies the document according to the document copy request, and reports to the application 103 that the copying is complete. Hereinafter, this report is referred to as “document copy completion report”.

  Since the application monitoring unit 106 monitors the document copy completion report, it captures and intercepts the document copy completion report and notifies the file storage control unit 110 in step S102.

  In step S103, the file storage control unit 110 determines whether the document copy completion report captured in step S102 relates to the protected document by referring to the access right management table 301.

  In this embodiment, the document copy completion report includes document index information for identifying a copy source document, that is, an original document to be copied, and a copy destination document, that is, a document newly created by copying in step S102. It is. Alternatively, the application monitoring unit 106 may recognize document index information of each of the copy source document and the copy destination document by monitoring and capturing the document copy request in step S101.

  In step S103, the file storage control unit 110 checks with the access right management server 300 whether a document ID corresponding to the document index information of the copy source document exists and is registered in the access right management table 301. Request that. If the document ID corresponding to the document index information of the copy source document is registered in the access right management table 301, the copy source document is a protected document, and if not registered, the copy source document is an unprotected document.

  If the copy source document is a protected document, the process proceeds from step S103 to step S104. If the copy source document is an unprotected document, the process proceeds from step S103 to step S105.

  In step S104, the file storage control unit 110 converts the copy destination document into a protected format (that is, encrypts it). Depending on the embodiment, an encrypted copy destination document may be generated simply by the OS 102 simply copying the encrypted copy source document in the protected format in step S102. In that case, it is not necessary to convert the copy destination document into a protected format in step S104.

In step S104, the file storage control unit 110 issues a new document ID to the copy destination document, and requests the access right management server 300 to manage the document index information of the copy destination document in association with the new document ID. To do. The access right management server 300 issues a new document ID according to the request, associates it with the document index information of the copy destination document, and issues the issued document I
D is notified to the file storage control unit 110.

  Further, the file storage control unit 110 adds the access right information of the copy source document in the access right management table 301 to the copy destination document via the access right management server 300, and adds the added access right information to the access right management table 301. Register with.

  For example, it is assumed that the copy source document is the document DOC1 and the new document ID issued to the copy destination document is “DOC100”. In this case, in response to a request from the file storage control unit 110, the access right management server 300 copies the set of access right information associated with the document ID “DOC1” in the access right management table 301 of FIG. It is registered in the access right management table 301 in association with “DOC100”. As a result, a new entry associated with the document ID “DOC100” is added to the access right management table 301.

  Finally, in step S105, the file storage control unit 110 reports the completion of copying to the GUI, CLI, or other process that is the destination of the document copy completion report captured in step S102. Then, the process of FIG. 6 ends. Therefore, when the copy source document is an unprotected document, the document copy completion report from the OS 102 is simply transferred to the application 103.

  Note that the processing in FIG. 6 can be modified such that the application monitoring unit 106 monitors and captures a document copy request. In that case, the application monitoring unit 106 notifies the captured document copy request to the file storage control unit 110, and the file storage control unit 110 transfers the document copy request to the OS 102. A document copy completion report is sent from the OS 102 to the file storage control unit 110. However, the access right inheritance in step S104 is the same as in FIG.

  According to the processing of FIG. 6 described above, for example, when the protected document DOC1 is copied and a new document DOC100 is created, the same access right as the document DOC1 is set in the document DOC100. That is, the document DOC100 inherits the access right of the document DOC1. Therefore, information contained in the copy source document DOC1 is not leaked to the user who does not have access rights to the copy source document DOC1 via the copy destination document DOC100.

In a conventional method for permitting or prohibiting access to a confidential file for each business application, an arbitrary user can reuse the contents of the confidential file by using a business application permitted to access the confidential file. In other words, RBAC (Roll-Based
Access Control) is not performed. However, in this embodiment, as in the access right management table 301 in FIG. 5, the access right can be set for each user, and RBAC can be realized.

  6 does not depend on which folder in the document storage area 101 the copy source document is stored in, and does not depend on which folder in the document storage area 101 the copy destination document is created. Further, the process of FIG. 6 is executed transparently.

  Therefore, the user who has the access right to the copy source document does not need to be aware of whether or not the copy source document is a protected document, and can copy any document in any folder to any folder. . In other words, according to the present embodiment, there is no need for the user to move a document to be protected to a specific protected folder, and thus the user forgets to move the document and information is leaked. There is no.

  Next, the operation of the access control unit 105 in information reuse via the shared memory 104 will be described in detail with reference to FIGS. In the following, the reuse of information by copy and paste via the clipboard realized by the shared memory 104 will be specifically described. However, the reuse of information via the shared memory 104 is copy and paste. Not limited to.

FIG. 7 is a flowchart for copying data in a document in the first embodiment.
In step S <b> 201, the application 103 requests the OS 102 to copy the data in the currently opened document to the shared memory 104. Hereinafter, this request is referred to as a “data copy request”.

  For example, a part or all of the range in the document that the application 103 is currently open is selected, and the user instructs to copy the data in the selected range via the input device. Then, the application 103 issues a data copy request for copying data in the selected range to the shared memory 104 as a clipboard.

  In step S <b> 202, the OS 102 copies data to the shared memory 104 in accordance with a data copy request from the application 103 and reports the completion of copying to the application 103. In general, in the clipboard provided by the OS 102, data is overwritten every time copying is performed, and data previously copied to the clipboard does not remain.

  Since the application monitoring unit 106 is monitoring a copy completion report from the OS 102 to the application 103, the copy completion report is captured and intercepted in step S202.

  From the copy completion report destination or the copy completion report itself, the application monitoring unit 106 recognizes the application ID of the application 103 that issued the data copy request and the document index information of the copy source document.

  Then, the application monitoring unit 106 notifies the write control unit 112 of the application ID of the application that issued the data copy request and the document index information of the copy source document.

  In step S203, the write control unit 112 determines whether the copy source document is a protected document with reference to the access right management table 301. For example, the write control unit 112 makes an inquiry specifying the document index information of the copy source document to the access right management server 300 via the network 200. That is, the write control unit 112 requests the access right management server 300 to check whether or not a document ID corresponding to the designated document index information exists and is registered in the access right management table 301.

  If the document ID corresponding to the specified document index information exists and is registered in the access right management table 301, the data copy request is for a protected document. If the document ID corresponding to the specified document index information does not exist or is not registered in the access right management table 301 even if it exists, the data copy request relates to an unprotected document.

The access right management server 300 responds to the write control unit 112 as to whether the data copy request relates to a protected document or an unprotected document. When the data copy request relates to a protected document, the access right management server 300 further notifies the write control unit 112 of the document ID of the copy source document.

  If the copy source document is a protected document, the process proceeds from step S203 to step S204. If the copy source document is an unprotected document, the process proceeds from step S203 to step S205.

  In step S204, the write control unit 112 converts the data written in the shared memory 104 in step S202 into a protected format. That is, the write control unit 112 encrypts data on the shared memory 104 and overwrites the shared memory 104. The encryption algorithm is arbitrary.

  Further, the write control unit 112 writes the document ID of the copy source document notified in step S <b> 203 to an empty area on the shared memory 104 and associates it with the protected format data on the shared memory 104.

  Also, if the document ID of the copy source document is registered in the “open document ID” column in the inheritance management table 108 of FIG. 4, the write control unit 112 associates the associated “copy source document ID”. ”To obtain one or more document IDs. Then, the writing control unit 112 further writes the acquired one or more document IDs in a free area on the shared memory 104 in association with the protected data on the shared memory 104. Then, the write control unit 112 reports the completion of copying to the application 103, and the processing in FIG.

  For example, when the protected document DOC2 is a copy source document, the data copied from the protected document DOC2 and converted into the protected format and the document ID “DOC2” are associated with each other in the shared memory 104 by the process of step S204. It is stored in the state.

  Alternatively, it is assumed that the protected document DOC4 is a copy source document and the inheritance management table 108 is in the state shown in FIG. In this case, in the inheritance management table 108, the document ID “DOC4” of the copy source document is registered in the “open document ID” column, and is registered in association with the “copy source document ID” column. Is the document ID “DOC5”.

  Therefore, in this case, the data copied from the protected document DOC4 and converted into the protected format and the two document IDs “DOC4” and “DOC5” are associated with each other in the shared memory 104 by the process of step S204. Stored.

  On the other hand, if the copy source document is an unprotected document, the writing control unit 112 determines in step S205 by referring to the inheritance management table 108 whether or not the copy source document includes data reused from the protected document. To do.

  More precisely, in step S205, it is not whether or not the copy source document actually includes data reused from the protected document, but whether or not the copy source document may include data reused from the protected document. Is judged. In other words, in step S205, it is determined whether there is a possibility of indirect reuse described with reference to FIG.

  For example, assume that the copy source document is an unprotected document DOC3. Referring to the inheritance management table 108 in FIG. 4, the document ID “DOC3” is registered in the “open document ID” column. As is clear from the processing of FIG. 8 described later, in this case, the copy source document DOC3 may include data reused from the protected document.

  If there is a possibility that the copy source document includes data reused from the protected document, the process proceeds to step S206. If there is no possibility that the copy source document includes data reused from the protected document, the write control unit 112 reports the completion of the copy to the application 103, and the processing in FIG.

  Step S206 is executed when the direct copy source document itself in the copy in step S202 is an unprotected document and there is a possibility of indirect information reuse from the protected document. Therefore, the data on the shared memory 104 needs to be protected.

  Therefore, in step S206, the write control unit 112 converts the data copied to the shared memory 104 in step S202 into a protected format. Furthermore, the writing control unit 112 sets one or more document IDs associated with the document ID of the copy source document notified in step S203 and registered in the “copy source document ID” column of the inheritance management table 108. Acquired as the document ID of the indirect copy source document.

  For example, when the copy source document is the unprotected document DOC3, according to the inheritance management table 108 of FIG. 4, “copy source document ID” corresponding to the document ID “DOC3” in the “open document ID” column. Document IDs “DOC4” and “DOC5” are registered in the column. Therefore, the write control unit 112 acquires document IDs “DOC4” and “DOC5” as document IDs of indirect copy source documents.

  Then, the write control unit 112 further associates the information acquired from the inheritance management table 108 (for example, two document IDs “DOC4” and “DOC5” in the above example) with the data in the protected format on the shared memory 104. Thus, the data is written into an empty area on the shared memory 104. Then, the write control unit 112 reports the completion of copying to the application 103, and the processing in FIG.

  7 is compared with the processing at the time of copying the object X from the protected document D1 to the clipboard in FIG. 2, the addition of the access right information to the object X in FIG. This is performed in step S204 or S206.

  That is, copying the document ID to the shared memory 104 and associating it with the data in the protected format is adding access right information to the data on the shared memory 104. This is because the access right information associated with the document ID in the access right management table 301 is indirectly associated with the data on the shared memory 104 by associating the document ID with the data.

FIG. 8 is a flowchart when data is pasted on a document in the first embodiment.
In step S301, the application 103 requests the OS 102 to paste the data stored in the shared memory 104 into the currently opened document. Hereinafter, this request is referred to as a “paste request”.

  In step S301, the application monitoring unit 106 that monitors the pasting request captures the pasting request and intercepts it. In this embodiment, it is assumed that the paste request itself includes the application ID of the application 103 that issued the paste request, and the document index information of the copy destination document to which data is to be pasted according to the paste request. The application monitoring unit 106 notifies the pasting request to the pasting control unit 113.

  In the next step S302, the paste control unit 113 determines whether or not the paste request captured by the application monitoring unit 106 in step S301 is a protect format data paste request. That is, the pasting control unit 113 determines whether there is a document ID stored in the shared memory 104 in association with the data on the shared memory 104 that realizes the clipboard.

  If there is a document ID associated with the data on the shared memory 104, the data on the shared memory 104 is the data that has been protected in step S204 or S206 in FIG. Accordingly, in step S302, the pasting control unit 113 determines that “the pasting request captured by the application monitoring unit 106 in step S301 is a pasting request for data in a protected format”, and the process proceeds to step S303. .

  On the other hand, if no document ID is associated with the data on the shared memory 104, it is determined in step S205 in FIG. 7 that the copy source document may not include data reused from the protected document. Is the case. That is, the shared memory 104 stores data that has been copied by the OS 102 in step S202 of FIG. Accordingly, in step S302, the pasting control unit 113 determines that “the pasting request captured by the application monitoring unit 106 in step S301 is a pasting request for unprotected data”, and the process proceeds to step S309. To do.

In step S303, the pasting control unit 113 determines whether or not pasting should be permitted.
In other words, the pasting control unit 113 determines whether or not the application that issued the pasting request has an access right to the protected format data on the shared memory 104. Here, “having access right to data on shared memory 104” means “having at least read authority to all of one or more documents in which document ID is associated with data on shared memory 104”. "Means.

  For example, it is assumed that the document ID “DOC1” is associated with data on the shared memory 104, and the copy destination document is currently opened by the application APP-U1-1 executed with the authority of the user USER1. The access right management table 301 is as shown in FIG.

  In this case, the pasting control unit 113 can acquire the document ID “DOC1” associated with the data by referring to the shared memory 104. Further, the pasting control unit 113 has already acquired the application ID “APP-U1-1” from the pasting request in step S301. For example, by making an inquiry to the OS 102, the pasting control unit 113 can recognize that the application APP-U1-1 is being executed with the authority of the user USER1.

  Accordingly, in step S303, the pasting control unit 113 refers to the access right management table 301 via the access right management server 300 based on the recognized result, and assigns the access right to the data on the shared memory 104 to the application APP- It is determined whether or not U1-1 has. That is, the pasting control unit 113 determines whether or not the read authority is set for the combination of the document ID “DOC1”, the application ID “APP-U1-1”, and the user ID “USER1”. Contact The access right management server 300 refers to the access right management table 301 and responds with the presence / absence of read authority.

In the example of FIG. 5, the read authority is set for the combination of the document ID “DOC1”, the application ID “APP-U1-1”, and the user ID “USER1”. Accordingly, in step S303, the pasting control unit 113 permits the pasting to be performed, and the process proceeds to step S305.

  On the other hand, as a result of referring to the access right management table 301, if it is determined that the application that issued the paste request does not have the access right to the data on the shared memory 104, the process proceeds to step S304.

  In step S304, the pasting control unit 113 displays a message indicating that pasting is not possible on the screen of the computer 100, and returns an error code indicating that pasting is not possible to the application 103 that issued the pasting request. Alternatively, the message display may be omitted. Then, the process of FIG. 8 ends.

  Step S305 is executed when pasting is permitted. In step S305, the pasting control unit 113 decrypts the data on the shared memory 104 to convert it into an unprotected format, and pastes the converted data into the copy destination document.

  Subsequent steps S306 to S308 are processes for access right inheritance. In step S306, the paste control unit 113 determines whether the copy destination document is an unprotected document that is not registered in the inheritance management table 108.

  As described above, in this embodiment, the access right management server 300 manages the correspondence between the document index information for identifying a document in the file system and the document ID for access right management. Therefore, the paste control unit 113 makes an inquiry to the access right management server 300 using the document index information of the copy destination document indicated by the paste request as a key. As a result, the pasting control unit 113 recognizes whether or not a document ID has already been issued for the copy destination document, and recognizes the issued document ID if the document ID has already been issued.

  If the document ID has not been issued for the copy destination document, the copy destination document is an unprotected document that has not been registered in the inheritance management table 108. Therefore, the process proceeds to step S307.

  If the document ID has been issued for the copy destination document, the copy destination document is a protected document or an unprotected document registered in the inheritance management table 108. Therefore, the process proceeds to step S308.

  In step S307, the pasting control unit 113 requests the access right management server 300 to issue a new document ID for the copy destination document that is an unprotected document not registered in the inheritance management table 108. The access right management server 300 issues a new document ID, associates it with the document index information of the copy destination document, and notifies the pasting control unit 113 of the issued document ID. Then, the process proceeds to step S308.

  In step S308, the pasting control unit 113 associates all document IDs other than the document ID of the copy destination document among the document IDs associated with the data on the shared memory 104 with the document ID of the copy destination document. Register in the table 108. Further, the pasting control unit 113 reports the pasting completion to the application 103.

For example, it is assumed that the copy destination document is the document DOC3, and the document IDs “DOC4” and “DOC5” are associated with the data on the shared memory 104. In this case, the pasting control unit 113 assigns the document ID “DOC3” of the copy destination document as shown in FIG.
In the left column of 08, the document IDs “DOC4” and “DOC5” associated with the data are registered in the corresponding right column. By the step S308, “the document DOC3 should inherit the access right from the protected document DOC4 and the protected document DOC5” is expressed in the inheritance management table 108.

  For example, it is assumed that the copy destination document is the document DOC6 and the document IDs “DOC6” and “DOC7” are associated with the data on the shared memory 104. In this case, the pasting control unit 113 registers only the document ID “DOC7” in the right column of the inheritance management table 108 in association with the document ID “DOC6” of the copy destination document as shown in FIG.

  Step S309 is executed when the paste request captured by the application monitoring unit 106 in step S301 is an unprotected format paste request. In this case, there is no need to restrict access, and there is no need to decrypt data to be pasted.

  Therefore, in step S309, the pasting control unit 113 notifies the OS 102 of the pasting request notified in step S301. Then, the OS 102 pastes the data on the shared memory 104 into the copy destination document, and reports the end of pasting to the application 103. Then, the process of FIG. 8 ends.

  8 is compared with the processing at the time of pasting the object X on the document D2 in FIG. 2, the judgment of pasting execution in FIG. 2 corresponds to step S303 in FIG. Also, the decryption in FIG. 2 corresponds to step S305 in FIG. 8, and the process for reflecting the access right information in FIG. 2 corresponds to step S308 in FIG.

FIG. 9 is a flowchart for storing a document in the first embodiment.
In step S401, the application 103 requests the OS 102 to save the currently opened document. Hereinafter, this request is referred to as a “storage request”, and a document for which storage is requested is referred to as a “target document”.

  In step S401, the application monitoring unit 106 that monitors the storage request captures and intercepts the storage request. In the present embodiment, it is assumed that the save request itself includes the application ID of the application 103 that issued the save request and the document index information of the target document. The application monitoring unit 106 notifies the file storage control unit 110 of the captured storage request.

  In the next step S402, the file storage control unit 110 determines whether the target document is a document whose document ID is registered in the “open document ID” column of the inheritance management table 108 of FIG. For this purpose, the file storage control unit 110 inquires of the access right management server 300 that manages the association between the document index information and the document ID whether the document ID has been issued for the target document, and the document ID is issued. If completed, obtain the document ID.

  If the document ID has not been issued for the target document, the process proceeds to step S403. Also, when the document ID has been issued for the target document, but the document ID of the target document is not registered in the “open document ID” column of the inheritance management table 108, the process proceeds to step S403.

  On the other hand, if the document ID has been issued for the target document and the document ID of the target document is registered in the “open document ID” column of the inheritance management table 108, the process proceeds to step S406. Transition.

  The processes after step S403 are executed after the target document has been opened by the application 103 this time, when data reuse from the protected document has not occurred, that is, when inheritance of a new access right does not occur. .

  In step S403, the file storage control unit 110 determines whether the target document is a protected document. The file storage control unit 110 can make the determination in step S403 based on the document ID inquiry result in step S402.

That is, when it is determined in step S402 that the document ID has not been issued for the target document, the target document is an unprotected document.
If a document ID is issued and the target document is an unprotected document, the document ID is registered in the “open document ID” column of the inheritance management table 108. However, step 403 is executed when the document ID of the target document is not registered in the “open document ID” column of the inheritance management table 108. Accordingly, in step S403, the file storage control unit 110 can determine that “if the document ID is issued, the target document is a protected document”.

  If the file storage control unit 110 determines in step S403 that the target document is a protected document, the process proceeds to step S404. In step S404, the file storage control unit 110 converts the target document into a protection format, and in step S405, stores the target document in the protection format in the document storage area 101 and reports the storage completion to the application 103. Then, the process of FIG. 9 ends.

  On the other hand, if the file storage control unit 110 determines in step S403 that the target document is an unprotected document, the process proceeds to step S405. In step S405, the file storage control unit 110 stores the target document in the document storage area 101 and reports the completion of storage to the application 103, and the processing in FIG. 9 ends.

  The processing after step S406 is executed when the document ID of the target document is registered in the “open document ID” column of the inheritance management table 108, that is, when a new access right needs to be inherited. . The fact that a new access right needs to be inherited means that, regardless of whether or not the target document is already a protected document before being opened by the application 103 this time, the target document will be protected in the future with the access right set. It is managed as a document. Accordingly, in step S406, the file storage control unit 110 converts the target document into a protected format.

  In step S407, the file storage control unit 110 determines whether the target document is an unprotected document until it is opened by the application 103 this time. That is, the file storage control unit 110 inquires of the access right management server 300 whether or not the document ID of the target document acquired in step S402 is registered in the “document ID” column of the access right management table 301.

  If the document ID of the target document is not registered in the “document ID” column of the access right management table 301, the target document is an unprotected document when it is opened by the application 103 this time, and the process proceeds to step S 408. To do. On the other hand, if the document ID of the target document is registered in the “document ID” column of the access right management table 301, the target document has been a protected document before it is opened by the application 103 this time, so the process proceeds to step S409. Transition.

In step S <b> 408, the file storage control unit 110 displays the access right management server 300.
Then, the document ID of the target document is newly registered in the “Document ID” column of the access right management table 301. Here, the file storage control unit 110 reflects the information on the inheritance management table 108 associated with the target document to be stored in the access right management table 301.

  Specifically, the file storage control unit 110 associates the “copy source document ID” with the document ID of the target document registered in the “open document ID” column in the inheritance management table 108 of FIG. One or more document IDs registered in the column are acquired. The file storage control unit 110 acquires the access right information associated with each acquired document ID by referring to the access right management table 301 via the access right management server 300. The file storage control unit 110 further merges the acquired access right information according to a predetermined condition to generate new access right information to be associated with the target document.

  For example, it is assumed that only one document ID “DOC10” is registered in the “copy source document ID” column in association with the document ID of the target document. In this case, the file storage control unit 110 acquires from the access right management table 301 a set of access right information associated with the document ID “DOC10”. Then, the file storage control unit 110 uses the acquired access right information of the document DOC 10 itself as new access right information to be associated with the target document.

  Alternatively, it is assumed that two document IDs “DOC20” and “DOC30” are registered in the “copy source document ID” column in association with the document ID of the target document. In this case, the file storage control unit 110 acquires a set of access right information associated with the document IDs “DOC20” and “DOC30” from the access right management table 301.

  Then, the file saving control unit 110 generates access right information to be associated with the target document by merging each access right information associated with the document IDs “DOC20” and “DOC30” with the following “AND condition”. To do. That is, the file storage control unit 110 sets the access right for the target document only for the combination in which the access right is set for each access right information associated with the document IDs “DOC20” and “DOC30”. To do. The “AND condition” can be formalized as follows.

  In the access right management table 301 of FIG. 5, the read authority for the combination of the document ID “D”, the user ID or group ID “U”, and the application ID “A” is expressed by Expression (1). When the read authority is set, the value of the expression (1) is true, and when not set, the value of the expression (1) is false.

Read (D, U, A) (1)
Here, the document ID of the target document is “D”, and the document ID “D” in the inheritance management table 108 is the document ID “D ₁ ”,..., “D _N ” as the “copy source document ID”. Assume that they are associated (N ≧ 1).

Further, assuming that 1 ≦ j ≦ P, each “U _j ” is associated with at least one document ID among “D ₁ ” to “D _N ” and registered in the access right management table 301. Let it be an ID. Further, assuming that 1 ≦ k ≦ Q, each “A _k ” is an application ID registered in the access right management table 301 in association with at least one document ID among “D ₁ ” to “D _N ”. And

At this time, the “AND condition” defines a merging method in which the access right information of the target document D is generated by calculating the logical product of N truth values as in Expression (2).
Read (D, U _j , A _k )
= Read (D ₁ , U _j , A _k ) ∧
...... ∧Read (D _N , U _j , A _k ) (2)
More precisely, according to the “AND condition”, the file storage control unit 110 reads out all combinations of 1 ≦ j ≦ P and 1 ≦ k ≦ Q to be set in the target document D according to Expression (2). Calculate authority. The file storage control unit 110 also calculates other types of authority such as a write authority and a print authority by the same logical product operation.

  Then, the file storage control unit 110 requests the access right management server 300 to set the calculation result in the access right management table 301 as access right information to be associated with the target document D. That is, the file storage control unit 110 adds new access right information to the access right management table 301 via the access right management server 300.

Further, in step S408, the file storage control unit 110 deletes the information in the inheritance management table 108 reflected in the access right management table 301. In other words, using the notation of Expression (2), a set of “D” in the “Document ID” column and “D ₁ ” to “D _N ” in the “Copy Source Document ID” column is saved as a file. The control unit 110 deletes it from the inheritance management table 108.

  If it is determined in step S407 that the target document has already been a protected document, the file storage control unit 110 executes the process of step S409. That is, the file storage control unit 110 reflects information on the inheritance management table 108 associated with the target document to be stored in the access right management table 301.

  For example, in accordance with an “AND condition” similar to that in step S408, in step S409, the file storage control unit 110 generates access right information of the target document D by a logical product operation of equation (3).

Read (D, U _j , A _k )
= Read (D, U _j , A _k ) ∧Read (D ₁ , U _j , A _k ) ∧
...... ∧Read (D _N , U _j , A _k ) (3)
That is, in step S409, the access right information originally set in the target document D itself and the access right information of the other documents D _{1 to DN} that are the sources of data reused in the target document D are obtained. The file storage control unit 110 performs merging. Thereby, the file storage control unit 110 generates new access right information for the target document D, and sets the new access right information in the access right management table 301 via the access right management server 300.

  As is clear from equation (3), when the inheritance management table 108 is in the state shown in FIG. 4, the documents DOC6 and DOC7 are respectively the same regardless of which of the documents DOC6 and DOC7 is stored first. The access right information is updated.

Further, in step S409, the file storage control unit 110 deletes the information in the inheritance management table 108 reflected in the access right management table 301. In other words, using the notation of Expression (3), a set of “D” in the “Document ID” column and “D ₁ ” to “D _N ” in the “Copy Source Document ID” column is saved as a file. The control unit 110 deletes it from the inheritance management table 108.

As described above, in steps S408 and S409, the file storage control unit 110 recognizes that the documents D ₁ to D _N are associated with the target document D with reference to the inheritance management table 108. Thereby, the file saving control unit 110, should we refer as the basis for calculating the new access rights to be set in the target document D can recognize that the access right information of the document D _{1 ~} document D _N.

  After execution of step S408 or S409, the process proceeds to step S405. In step S405, the file storage control unit 110 stores the target document converted into the protected format in step S406 in the document storage area 101, reports the completion of storage to the application 103, and the process in FIG.

  9 is compared with the processing at the time of saving the document D2 in FIG. 2, the registration of the access right information of the document D2 in FIG. 2 is performed in step S408 or S409 in FIG. Further, the encryption in FIG. 2 is performed in step S406 in FIG. 9, and the storage in FIG. 2 is performed in step S405 in FIG.

  Further, according to the processes in FIGS. 7 to 9 described above, for example, when data is copied and pasted from the protected document DOC1 to the document DOC100, and the contents of the protected document DOC1 are reused in the document DOC100, the document DOC100 The access right of the protected document DOC1 is inherited. Access right inheritance does not depend on whether the document DOC 100 was originally a protected document or an unprotected document.

  Therefore, information contained in the copy source document DOC1 is not leaked to the user who does not have access rights to the copy source document DOC1 via the copy destination document DOC100. 7 to 9 are transparently executed without depending on the folder in which the copy source document DOC1 and the copy destination document DOC100 are stored, similarly to the process of FIG. Therefore, according to the present embodiment, it is possible to reliably inherit the access right without burdening the user.

  FIG. 10 is a timing chart illustrating an example of the operation of the first embodiment. FIG. 10 is a diagram for mainly explaining the dynamic change of the inheritance management table 108. In FIG. 10, reference numerals including subscripts “108a” to “108f” are used in accordance with changes in the inheritance management table 108.

In the example of FIG. 10, for simplicity of explanation, the following (f1) to (f5) are assumed, and the access right management table 301 is not shown.
(F1) The user U performs all operations on the document via the application A.

(F2) The protected documents D21, D23, D24, and D26 are already stored in the document storage area 101.
(F3) For the combination of the user U and the application A, read authority and write authority for the protected documents D21, D23, D24, and D26 are given.

  (F4) The unprotected documents D22 and D25 are already stored in the document storage area 101. Actually, in the initial state in FIG. 10, the document IDs “D22” and “D25” have not yet been issued to the non-protected documents D22 and D25. However, for convenience of explanation, “non-protected document D22” and “non-protected document” This is called “Document D25”.

(F5) Nothing is registered in the inheritance management table 108a in the initial state.
Under the above assumption, according to the present embodiment, the contents of the inheritance management table 108 dynamically change as follows.

For example, according to an input from the user U, a copy of the data A from the protected document D21 is requested. Then, the data A and the document ID “D21” are stored in the shared memory 104 in association with each other.

  Then, in response to an input from the user U, when the pasting of the data A to the non-protected document D22 is requested, a new document ID “D22” is issued. Also, as in the inheritance management table 108b, a set of document IDs “D22” and “D21” is registered as a set of “open document ID” and “copy source document ID”.

  Further, according to the input from the user U, a copy of the data B from the protected document D23 is requested. Then, the shared memory 104 stores the data B and the document ID “D23” in association with each other.

  Then, in accordance with the input from the user U, the data B is requested to be pasted on the non-protected document D22. Then, as in the inheritance management table 108c, the document ID “D23” is further associated with the document ID “D22” in the “open document ID” column and associated with the document ID “D23”.

  Further, in accordance with the input from the user U, the data B is required to be pasted on the protected document D24. Then, a set of document IDs “D24” and “D23” is further registered as in the inheritance management table 108d.

  In addition, a copy of data C from non-protected document D22 including data A and B to be protected is requested. Then, the shared memory 104 stores the data C and the document IDs “D21” and “D23” in association with each other. The document IDs “D21” and “D23” associated with the data C are associated with the document ID “D22” in the inheritance management table 108d.

  In FIG. 10, data B and C partially overlap, but data C is arbitrary data in the unprotected document D22. Even if the data C does not overlap with any of the data A and B, according to the present embodiment, the document IDs “D21” and “D23” are stored in the shared memory 104 based on the inheritance management table 108d. Associated with data C.

  That is, according to the present embodiment, after the data A and B are pasted, any data copy from the unprotected document D22 may be indirectly reused from the protected documents D21 and D23. Is considered. And whenever there is a possibility of indirect reuse from a protected document, access rights are inherited.

  When the data C is requested to be pasted on the non-protected document D25 according to the input from the user U, a new document ID “D25” is issued. As in the inheritance management table 108e, a document ID “D25” is newly registered in the “open document ID” column, and the corresponding “copy source document ID” column is associated with data C. The document IDs “D21” and “D23” are registered.

  Further, in accordance with the input from the user U, the data C is required to be pasted on the protected document D26. Then, as in the inheritance management table 108f, the document ID “D26” is newly registered in the “open document ID” column, and the corresponding “copy source document ID” column is associated with the data C. The document IDs “D21” and “D23” are registered.

Thereafter, when the protected documents D24 and D26 and the unprotected documents D22 and D25 are saved, the access right is inherited based on the inheritance management table 108f.
Although the first embodiment has been described in detail above, the common points of the process of FIG. 6 and the processes of FIGS. 7 to 9 are summarized as follows.

  In other words, the access right is set to the protected document, which is an encrypted electronic document, by the access right information indicating the access right for each user. The access right information is stored in the access right management table 301 in association with the document ID.

  The application monitoring unit 106 functions as a capturing unit that monitors and captures one or more processes performed when the content included in the first document that is a protected document is reused in the second document. .

For example, in the process of FIG. 6, a document copy completion report is monitored as a process accompanying copying a first electronic document and saving it as a second electronic document.
In the process of FIG. 7, a copy completion report for a data copy request is monitored as a process accompanying writing of data included in the first electronic document to the shared memory 104. Further, in the process of FIG. 8, a paste request is monitored as a process accompanying writing of data stored in the shared memory 104 to the second electronic document. In the process of FIG. 9, a save request is monitored as a process associated with saving the second electronic document.

  Depending on the type of processing, the reuse of information from a protected document cannot be determined just by capturing one processing. For example, even if a data copy request occurs, the copied data is not always reused.

  Therefore, there are cases where the access control unit 105 can recognize that the reuse of information from the protected document is confirmed by the application monitoring unit 106 serving as a capturing unit monitoring a plurality of processing sets.

  When one or more processes indicating that the reuse of information from the protected document has been confirmed are captured, the file storage control unit 110 functions as a setting unit. That is, the file storage control unit 110 sets the second access right based on the first access right of the first electronic document to the second electronic document by updating the access right information in the access right management table 301. To do.

  As in Expression (2) and Expression (3), the second access right inherits the first access right and is equal to or more strongly limited than the first access right. . Further, when the original second access right is already set in the second electronic document, the second access right is equal to or stronger than the original second access right. It is also restricted.

The file storage control unit 110 also functions as a storage control unit that encrypts and stores the second electronic document.
Next, a second embodiment will be described with reference to FIGS. A description of points in common with the first embodiment will be omitted as appropriate.

  FIG. 11 is a system configuration diagram of the second embodiment. The network 200, the access right management server 300, and the access right management table 301 in FIG. 1 relating to the first embodiment are not shown in FIG. This is because the access right information stored in the access right management table 301 in the first embodiment is stored in the header area of the protected document in the second embodiment.

The header area of the protected document may be stored in the document storage area 101 physically adjacent to the data area of the protected document, and stored in the document storage area 101 physically separated from the data area. May be. For example, according to the file system provided by the OS 102, an alternative data stream or a resource fork can be used as a header area of a protected document.

  That is, in the first embodiment, the access right information is centrally managed by the access right management table 301, but in the second embodiment, the access right information is distributed and stored in the document storage area 101. The computer 100 according to the second embodiment can inherit access rights in a stand-alone manner.

  In the second embodiment, since the access right management server 300 is not used, the control unit 107 manages the relationship between the document index information for identifying the document on the file system provided by the OS 102 and the document ID. For example, the control unit 107 manages the relationship between the document index information and the document ID using a table (not shown) stored in the same nonvolatile storage device that realizes the document storage area 101. The control unit 107 also issues a document ID.

  Each unit in the control unit 107 may query the access right management server 300 for the document ID in the first embodiment, but in the second embodiment, the unit refers to the table (not shown) included in the control unit 107. Thus, the document ID can be recognized from the document index information.

  Furthermore, each unit in the control unit 107 refers to and updates the access right management table 301 via the access right management server 300 in the first embodiment. However, in the second embodiment, each unit in the control unit 107 refers to or updates the access right information distributed in the document storage area 101 without using the access right management server 300.

  FIG. 12 is a diagram showing an example of access right information stored in a document in the second embodiment. The access right information 401 in FIG. 12 is represented by a combination of a user ID or group ID, an application ID, and an authority.

  Compared with FIG. 5 of the first embodiment, the “document ID” column of FIG. 5 is deleted in FIG. Further, the access right management table 301 in FIG. 5 includes access right information corresponding to a plurality of documents, whereas in FIG. 12, only the access right information 401 corresponding to one document is shown. However, in other respects, FIG. 12 and FIG. 5 are the same.

The reason for the difference from FIG. 5 is that, since the access right information 401 of FIG. 12 is stored in the header area of each protected document, it is not necessary to clearly indicate which protected document corresponds to it.
FIG. 13 is a flowchart when the entire document is copied in the second embodiment. Since the process of FIG. 13 is similar to the process of FIG. 6 of the first embodiment, the description thereof is omitted as appropriate.

In step S501, a document copy request to the OS 102 is generated via the GUI or CLI.
In the next step S502, the OS 102 copies the document according to the document copy request, and reports to the application 103 that the copying is complete. The application monitoring unit 106 captures and intercepts the document copy completion report and notifies the file storage control unit 110.

  In step S503, the file storage control unit 110 determines whether the document copy completion report captured in step S502 relates to a protected document. The determination is made by the file storage control unit 110 checking whether or not the access right information 401 as shown in FIG. 12 is stored in the header area of the copy source document.

  In the present embodiment, since the document copy completion report includes document index information for identifying the copy source document and the copy destination document, the file storage control unit 110 can refer to the header area of the copy source document. Alternatively, the application monitoring unit 106 may recognize the document index information of each of the copy source document and the copy destination document by monitoring and capturing the document copy request in step S501.

  In step S503, the file storage control unit 110 refers to the header area of the copy source document. If the access right information 401 is stored there, the file storage control unit 110 determines that the copy source document is a protected document, and the process proceeds to step S504. Migrate to If the access right information 401 is not stored in the header area of the copy source document, the file storage control unit 110 determines that the copy source document is an unprotected document, and the process proceeds to step S505.

In step S504, the file storage control unit 110 converts the copy destination document, that is, the document newly created by the copy in step S502 into a protected format.
In step S504, the file storage control unit 110 issues a new document ID to the copy destination document, and requests the control unit 107 to manage the document index information of the copy destination document in association with the new document ID. The control unit 107 issues a new document ID according to the request, associates it with the document index information of the copy destination document, and notifies the file storage control unit 110 of the issued document ID.

  Further, the file storage control unit 110 acquires the access right information 401 of the copy source document with reference to the header area of the copy source document, and uses the acquired access right information 401 as the access right information of the copy destination document. Store in the header area.

  Finally, in step S505, the file storage control unit 110 reports the completion of the copy to the destination GUI, CLI, or other process of the document copy completion report captured in step S502. Then, the process of FIG. 13 ends.

  Next, processing performed by the access control unit 105 when copying data in a document in the second embodiment will be described. The process performed by the access control unit 105 when copying data in a document is similar to the process of FIG. 7 of the first embodiment. The difference is that the following processing is performed in the second embodiment instead of step S203 in FIG.

  That is, in the second embodiment, the write control unit 112 determines whether or not the copy source document is a protected document with reference to the header area of the copy source document. If the access right information 401 is stored in the header area, the copy source document is a protected document. If the access right information 401 is not stored in the header area, the copy source document is an unprotected document. In the second embodiment, when the copy source document is a protected document, the write control unit 112 acquires the document ID of the copy source document from the control unit 107.

  Next, processing performed by the access control unit 105 when data is pasted on a document in the second embodiment will be described. The process performed by the access control unit 105 when pasting data on a document is similar to the process of FIG. 8 of the first embodiment. The difference is that the following processing is performed in the second embodiment instead of steps S303, S306, and S307 in FIG.

The determination in step S303 of the first embodiment is performed by the pasting control unit 113 referring to the access right management table 301. In contrast, in the second embodiment, the pasting control unit 113 uses the header area of each document to which one or more document IDs associated with data on the shared memory 104 are assigned instead of the access right management table 301. The access right information 401 is referred to.

  Also, the paste control unit 113 inquires of the access right management server 300 whether or not the document ID has already been issued for the copy destination document, but inquires the control unit 107 in the second embodiment.

Furthermore, in step S307, the access right management server 300 issues a document ID, but in the second embodiment, the control unit 107 issues a document ID.
Next, processing performed by the access control unit 105 when storing a document in the second embodiment will be described. FIG. 14 is a flowchart for storing a document in the second embodiment. In FIG. 14, the description of the same parts as those in FIG. 9 of the first embodiment will be omitted as appropriate.

  In step S601, the application 103 requests the OS 102 to save the currently open document (that is, the target document). The application monitoring unit 106 captures the storage request and notifies the file storage control unit 110 of the captured storage request.

  In step S602, the file storage control unit 110 determines whether the target document is a document in which the document ID is registered in the “open document ID” column of the inheritance management table 108 in FIG. That is, the file storage control unit 110 inquires of the control unit 107 that manages the association between the document index information and the document ID whether or not the document ID has been issued for the target document, and if the document ID has been issued. Get the document ID.

  If the document ID has not been issued for the target document, the process proceeds to step S603. If the document ID has already been issued for the target document, but the document ID of the target document is not registered in the “open document ID” column of the inheritance management table 108, the process also proceeds to step S 603.

  On the other hand, when the document ID has been issued for the target document and the document ID of the target document is registered in the “open document ID” column of the inheritance management table 108, the process proceeds to step S606. Transition.

  The processing after step S603 is executed when the data from the protected document has not been reused after the target document is opened by the application 103 this time, that is, when inheritance of a new access right does not occur. .

  In step S603, the file storage control unit 110 determines whether the target document is a protected document by the same method as in step S403 of FIG. 9 of the first embodiment. If the file storage control unit 110 determines in step S603 that the target document is a protected document, the process proceeds to step S604.

  In step S604, the file storage control unit 110 converts the target document into a protection format, and in step S605, stores the target document in the protection format in the document storage area 101, and reports the storage completion to the application 103. Then, the process of FIG. 14 ends.

  In step S603, when the file storage control unit 110 determines that the target document is an unprotected document, the file storage control unit 110 stores the target document in the document storage area 101 and stores it in the application 103 in step S605. Report completion. Then, the process of FIG. 14 ends.

  The processes after step S606 are executed when the document ID of the target document is registered in the “open document ID” column of the inheritance management table 108, that is, when it is necessary to inherit a new access right. . Similar to step S406 of the first embodiment, the file storage control unit 110 converts the target document into a protected format in step S606.

  In step S607, the file storage control unit 110 determines whether the target document is an unprotected document until it is opened by the application 103 this time. That is, the file storage control unit 110 refers to the header area of the target document, and determines that the target document is a protected document if the access right information 401 is stored in the header area. Judged as a protected document.

If the target document is already a protected document, the process proceeds to step S609. If the target document is an unprotected document at present, the process proceeds to step S608.
In step S608, the file storage control unit 110 generates access right information 401 reflecting information on the inheritance management table 108 associated with the target document to be stored. Then, the file storage control unit 110 adds the generated access right information 401 to the target document. That is, the file storage control unit 110 stores the access right information 401 in the header area of the target document.

  The method by which the file storage control unit 110 generates the access right information 401 in step S608 is the same as that in step S408 in the first embodiment. For example, the file storage control unit 110 generates the access right information 401 according to the “AND condition” using Expression (2). Further, as in the first embodiment, in step S608, the file storage control unit 110 deletes the information in the inheritance management table 108 reflected in the access right information 401.

  If it is determined in step S607 that the target document has already been a protected document, the file storage control unit 110 executes the process of step S609. That is, the file storage control unit 110 reflects the information on the inheritance management table 108 associated with the target document to be stored in the access right information 401 stored in the header area of the target document. For example, the file storage control unit 110 updates the access right information 401 according to the “AND condition” using the same expression (3) as in the first embodiment. In step S609, the file storage control unit 110 deletes the information in the inheritance management table 108 reflected in the access right information 401, as in the first embodiment.

  After execution of step S608 or S609, the file storage control unit 110 stores the target document converted into the protected format in step S606 in the document storage area 101 and reports the storage completion to the application 103, and the processing in FIG.

  Similarly to the first embodiment, the second embodiment described above also has an effect that it is possible to reliably realize access right inheritance and prevent information leakage without imposing a burden on the user. Furthermore, according to the second embodiment, inheritance of access rights can be realized by the computer 100 alone.

Next, a third embodiment will be described with reference to FIGS. A description of points in common with the first embodiment will be omitted as appropriate.
In the third embodiment, when the access right of the copy source document is changed, the new access right of the copy source document is reflected in the access right of the copy destination document. As will be described later, in the third embodiment, the reflection of access rights is repeated in a chain. That is, when the access right of the parent document in the access right inheritance is changed, the access right is changed in a chain manner not only in the child document but also in all the descendant documents.

  The system configuration in the third embodiment is substantially the same as that of the first embodiment shown in FIG. However, while the access right management table 301 of the first embodiment is configured as shown in FIG. 5, the access right management table 301b of the third embodiment is configured as shown in FIG.

  FIG. 15 is a diagram illustrating an example of an access right management table according to the third embodiment. The access right management table 301b of FIG. 15 differs from FIG. 5 in that there is a “copy source document ID” column. The other four columns of “document ID”, “user ID or group ID”, “application ID that can handle protected documents”, and “authority” are the same as those in FIG. The “copy source document ID” column is provided in order to realize chained reflection of access rights.

  In FIG. 15, a list of document IDs in the “copy source document ID” column is associated with the document IDs in the “document ID” column. The list of document IDs in the “copy source document ID” column may be empty, may include only one document ID, or may include a plurality of document IDs.

  In the example of FIG. 15, a list of “copy source document ID” columns including “DOC2” and “DOC5” is associated with “DOC1” of the “document ID” column, and the following (g1) and (g2) Represents.

  (G1) Data was reused from the protected document DOC2 directly to the document DOC1. Or, the content of the protected document DOC2 may be reused in the document DOC1 indirectly through one or more non-protected documents (that is, the protected document DOC2 is an indirect source document of the protected document DOC1). is there).

  (G2) Data was reused from the protected document DOC5 directly to the document DOC1. Or, the content of the protected document DOC5 may be reused in the document DOC1 indirectly through one or more unprotected documents (that is, the protected document DOC5 is an indirect source document of the protected document DOC1). is there).

  The empty list is registered in the “copy source document ID” column when no data reused from another protected document is included. How the “copy source document ID” column is set will be described later with reference to FIGS. 16 and 17. As described in (g1) and (g2) above, the combination of the “document ID” column and the “copy source document ID” column is a second similar to the first inheritance management information managed by the inheritance management table 108 of FIG. This is an example of inheritance management information. However, the inheritance management table 108 is dynamically created and rewritten only while the document is opened, whereas the access right management table 301b is held in the nonvolatile memory even when the document is not opened.

  FIG. 16 is a flowchart for copying the entire document in the third embodiment. The process of FIG. 16 is similar to the process of FIG. 6 of the first embodiment, and thus description of common points is omitted as appropriate.

In step S701, a document copy request to the OS 102 is generated.
In the next step S702, the OS 102 copies the document in accordance with the document copy request, and reports to the application 103 that the copying is complete. Then, the application monitoring unit 106 captures and intercepts the document copy completion report and notifies the file storage control unit 110.

In step S703, the file storage control unit 110 determines whether the document copy completion report captured in step S702 relates to the protected document by referring to the access right management table 301b. The details of the determination method are the same as in step S103 of the first embodiment.

  If the copy source document is a protected document, the process proceeds from step S703 to step S704. If the copy source document is an unprotected document, the process proceeds from step S703 to step S705.

In step S704, the file storage control unit 110 converts the copy destination document into a protected format.
In step S704, the file storage control unit 110 issues a new document ID to the copy destination document, and requests the access right management server 300 to manage the document index information of the copy destination document in association with the new document ID. To do. The access right management server 300 issues a new document ID according to the request, associates it with the document index information of the copy destination document, and notifies the file storage control unit 110 of the issued document ID.

  Further, the file storage control unit 110 associates the new document ID for the copy destination document with the document ID of the copy source document via the access right management server 300 and registers the new document ID in the access right management table 301b to copy the copy source document. Is added to the copy destination document. That is, the file storage control unit 110 requests the access right management server 300 to add a new entry set as shown in (h1) to (h3) below to the access right management table 301b. 300 follows the request.

(H1) The “document ID” column contains the document ID of the copy destination document
(H2) “Copy source document ID” column is a list consisting only of document IDs of the copy source document. (H3) The other three columns are copies of entries in which the document ID of the copy source document is registered in the “Document ID” column. Finally, in step S705, the file storage control unit 110 reports the completion of copying to the destination GUI, CLI, or other process of the document copy completion report captured in step S702. Then, the process of FIG. 16 ends.

  Next, processing when copying data in a document in the third embodiment will be described. The process for copying data in the document is similar to the process of FIG. 7 of the first embodiment. The difference is the content that the write control unit 112 writes in the shared memory 104 in association with the data in the protected format in step S204 of FIG. That is, in the third embodiment, the write control unit 112 copies only the document ID of the copy source document to the shared memory 104 and associates it with the data in the protected format.

  In the first embodiment, in order to achieve proper access right inheritance, indirect copy sources for data that is indirectly reused in a protected document via one or more other protected or non-protected documents Documents need to be managed. Therefore, in step S204, the write control unit 112 associates the document ID acquired from the inheritance management table 108 with the data in the protected format.

  However, in the third embodiment, the access right of the indirect copy source document can be properly inherited by the process of FIG. Therefore, in the third embodiment, reference to the inheritance management table 108 is omitted in step S204, and only the document ID of the copy source document is associated with the data.

Note that the processing when data is pasted on a document in the third embodiment is the same as the processing in FIG.
FIG. 17 is a flowchart for storing a document in the third embodiment. The description of the same parts as those of the process of FIG. 9 of the first embodiment will be omitted as appropriate.

In step S <b> 801, the application 103 issues a target document save request to the OS 102. Further, the application monitoring unit 106 captures the save request.
In the next step S802, the file storage control unit 110 determines whether or not the target document is a document whose document ID is registered in the “open document ID” column of the inheritance management table 108 of FIG.

  If the document ID has not been issued for the target document, the process proceeds to step S803. Also, when the document ID has been issued for the target document, but the document ID of the target document is not registered in the “open document ID” column of the inheritance management table 108, the process proceeds to step S803.

  On the other hand, if the document ID has been issued for the target document and the document ID of the target document is registered in the “open document ID” column of the inheritance management table 108, the process proceeds to step S806. Transition.

  The processes in and after step S803 are executed after the target document is opened by the application 103 this time, when data reuse from the protected document has not occurred, that is, when no new access right has been inherited. . In step S803, the file storage control unit 110 determines whether the target document is a protected document.

  If the file storage control unit 110 determines in step S803 that the target document is a protected document, the process proceeds to step S804. In step S804, the file storage control unit 110 converts the target document into a protected format. Subsequently, in step S805, the file saving control unit 110 saves the target document in the protected format in the document storage area 101 and reports the completion of saving to the application 103. Then, the process of FIG. 17 ends.

  On the other hand, if the file storage control unit 110 determines in step S803 that the target document is an unprotected document, the process proceeds to step S805. In step S805, the file saving control unit 110 saves the target document in the document storage area 101, reports the completion of saving to the application 103, and the process of FIG. 17 ends.

  The processing after step S806 is executed when a new access right needs to be inherited. Accordingly, in step S806, the file storage control unit 110 converts the target document into a protected format.

  In step S807, the file storage control unit 110 determines whether the target document is an unprotected document until it is opened by the application 103 this time, using the same method as in step S407 of the first embodiment. If the target document is already a protected document, the process proceeds to step S809. If the target document is currently an unprotected document, the process proceeds to step S808.

  In step S808, the file storage control unit 110 newly registers the target document in the “document ID” column of the access right management table 301b via the access right management server 300. Further, the file storage control unit 110 associates the “copy source document ID” with the document ID of the target document newly registered in the “document ID” column in the access right management table 301 b via the access right management server 300. Set the list of columns.

  That is, the file storage control unit 110 is registered in the “copy source document ID” column in association with the document ID of the target document registered in the “open document ID” column in the inheritance management table 108 of FIG. One or more document IDs are acquired. Then, the file storage control unit 110 via the access right management server 300 displays a list of the acquired document IDs in the access right management table 301b of FIG. Register in the “Document ID” column.

  Further, the file saving control unit 110 uses the same method as in step S408 of the first embodiment to access the information in the “copy source document ID” column of the inheritance management table 108 associated with the target document to be saved as an access right. This is reflected in the management table 301b. That is, the file storage control unit 110 generates new access right information to be associated with the target document according to a predetermined condition such as an “AND condition” as in the first embodiment. Then, the file storage control unit 110 registers the generated access right information in association with the document ID of the target document in the access right management table 301b via the access right management server 300.

  Further, similarly to the first embodiment, in step S808, the file storage control unit 110 deletes the information of the inheritance management table 108 reflected in the access right management table 301b.

  If it is determined in step S807 that the target document has already been a protected document, the file storage control unit 110 executes the process of step S809. That is, the file storage control unit 110 acquires one or more document IDs associated with the document ID of the target document and registered in the “copy source document ID” column of the inheritance management table 108. Then, the file storage control unit 110 adds the acquired document ID to the list in the “copy source document ID” column associated with the document ID of the target document in the access right management table 301b via the access right management server 300. To do.

  Further, the file storage control unit 110 reflects the information on the inheritance management table 108 associated with the target document to be stored in the access right management table 301b as in step S409 of the first embodiment. Further, the file storage control unit 110 deletes the information of the inheritance management table 108 reflected in the access right management table 301b, as in the first embodiment.

  After execution of step S808 or S809, the process proceeds to step S805. In step S805, the file saving control unit 110 saves the target document converted into the protected format in step S806 in the document storage area 101, reports the saving bureaucracy to the application 103, and the process in FIG. 17 ends.

Subsequently, a chained change of access rights in the third embodiment will be described with reference to FIGS.
FIG. 18 is a flowchart of processing for changing access rights in a chained manner in the third embodiment.

In step S901, the access right setting of the document whose document ID is i is changed. The “change” in step S901 includes, for example, the following (i1) to (i3).
(I1) The access right information registered in the access right management table 301b for the existing protected document i is changed in step S809 in FIG.

(I2) The unprotected document i is newly registered as a protected document in the access right management table 301b in step S808 in FIG. 17, and the access right is not set and the access right is set. .

(I3) A new protected document i is created by the processing of FIG. 16 and registered in the access right management table 301b.
(I1) to (i3) are all changes by the file storage control unit 110. For example, in the present embodiment, in the program for realizing the file storage control unit 110, the procedure for updating the access right management table 301b via the access right management server 300 includes the calling of the process of FIG. . Therefore, the access right is surely changed in a chain.

  In step S902, the file storage control unit 110 determines whether the document i is an existing protected document. In the case of (i1), since the document i is an existing protected document, the process proceeds to step S903. In the case of (i2) and (i3), the document i is not an existing protected document, but is in a protected format immediately before the processing of FIG. In this case, since there is no other document that should inherit the access right of the document i, the processing in FIG. 18 ends.

  In step S903 and subsequent steps, the file storage control unit 110 uses two lists named “changed document list” and “unchanged document list”. By using the two lists, the file storage control unit 110 can change the access right in a chained manner while coping with a case where a plurality of documents have a relationship of reusing data cyclically. .

  The changed document list is a list of protected documents whose access right has already been changed among the protected documents whose access right should be changed according to the change of the access right of the protected document i. The unchanged document list is a list of protected documents whose access rights should be changed in accordance with the change of the access rights of the protected document i as the processing progresses, but whose access rights have not been changed yet. It is.

  In step S903, the file storage control unit 110 initializes the changed document list. That is, the file storage control unit 110 creates a changed document list having only a document ID i.

  Next, in step S904, the file storage control unit 110 initializes the unmodified document list with the document ID of another document that reuses the information of the document i. Specifically, the file storage control unit 110 creates an empty list as an unmodified document list, and uses the document ID of i as a key to create a list in the “copy source document ID” column of the access right management table 301b of FIG. Search for. Then, the file storage control unit 110 adds all the document IDs in the “document ID” column associated with the list including the document ID “i” to the unmodified document list.

After initialization of steps S903 and S904, the file storage control unit 110 repeatedly executes steps S905 to S911.
In step S905, the file storage control unit 110 determines whether the unmodified document list is empty. If the unchanged document list is empty, the process in FIG. 18 ends. If the unchanged document list is not empty, the process proceeds to step S906.

  In step S906, the file storage control unit 110 extracts one document ID from the unmodified document list. In the present embodiment, the file storage control unit 110 extracts the first document ID of the unmodified document list. Hereinafter, it is assumed that the document ID extracted in step S906 is p.

In step S907, the file storage control unit 110 refers to the access right management table 301b via the access right management server 300, and “copy source document ID” associated with the document ID p in the “document ID” column. Get the document ID for the column. For example, when p = “DOC1”, the file storage control unit 110 acquires “DOC2” and “DOC5” in the “copy source document ID” column from the access right management table 301b of FIG.

  Then, the file storage control unit 110 acquires the access right information of the document having the acquired document ID and the document p itself from the access right management table 301b via the access right management server 300. For example, when p = “DOC1”, the file storage control unit 110 acquires the access right information of the document DOC2, the document DOC5, and the document DOC1.

  Then, the file storage control unit 110 generates access right information to be newly set for the document p based on the acquired access right information. For example, when p = “DOC1”, the file storage control unit 110 uses the access right information of the acquired documents DOC1, DOC2, and DOC5 to create a new access right for the document DOC1 according to the “AND condition” in Expression (3). Generate information.

The file storage control unit 110 sets the new access right information of the generated document p by overwriting the access right management table 301b via the access right management server 300.
In step S908, the file storage control unit 110 adds a document ID “p” to the changed document list, and deletes the document ID “p” from the unmodified document list in step S909.

  In step S910, the file storage control unit 110 refers to the access right management table 301b via the access right management server 300, and acquires the document ID of the document that reuses the information of the document p. That is, in the same manner as in step S904, the file storage control unit 110 searches the “copy source document ID” column of the access right management table 301b using the document ID “p” as a key, and records the corresponding document ID column. Get an ID.

As a result of step S910, no document ID may be obtained or one or more document IDs may be obtained.
Next, in step S911, the file storage control unit 110 adds the document ID acquired in step S910 that is not in either the changed document list or the unchanged document list to the unchanged document list. In the present embodiment, the file storage control unit 110 adds a document ID to the end of the unchanged document list.

  After step S911, the process returns to step S905. By repeatedly executing steps S905 to S911, the access rights of all the protected documents that directly or indirectly inherit the access rights of the protected document i are chained according to the change of the access rights of the protected document i. Be changed.

Next, a specific example of the process in FIG. 18 will be described with reference to FIGS. 19 and 20.
FIG. 19 is a diagram showing a data reuse relationship between documents in the third embodiment. In FIG. 19A, each arrow points from the copy source document ID to the copy destination document ID. FIG. 19B is an example of the access right management table 301b when data is reused as shown in FIG. 19A. The association between the “document ID” column and the “copy source document ID” column is as follows. This corresponds to the arrow in FIG. For simplification of explanation, the contents of the “user ID or group ID” column, the “application ID that can handle protected documents” column, and the “authority” column in the access right management table 301 b are omitted as appropriate in FIG. 19B. Has been.

In the example of FIG. 19A, the document D31 does not include information reused from other protected documents. Therefore, there is no arrow indicating the document ID “D31”, and there is no copy source document ID associated with the document ID “D31” in the “document ID” column in FIG.

  Further, the information of the document D31 is reused in the document D32 and the document D34. Accordingly, as shown in FIG. 19B, the document ID “D31” is associated with the document ID “D32” in the “document ID” column and the document ID “D31” in the “copy source document ID” column.

  Further, the information of the document D32 is reused in the document D33. In the document D33, the information of the document D34 is also reused. Therefore, as shown in FIG. 19B, the document IDs “D32” and “D34” are associated with the document ID “D33” in the “document ID” column in the “copy source document ID” column.

Since there is no document that reuses the information of the document D33, the document ID “D33” does not exist in the “copy source document ID” column.
The information of the document D34 is also reused in the document D35. Further, the information of the document D35 is reused in the document D34. That is, the document D34 and the document D35 mutually reuse information, and the parent-child relationship between the document D34 and the document D35 is cyclic. This cyclic reuse is represented in FIG. 19B as follows. That is, the document ID “D35” in the “copy source document ID” column is associated with the document ID “D34” in the “document ID” column, and the “copy source document ID” is associated with the document ID “D35” in the “document ID” column. ”Column document ID“ D34 ”is associated.

  As described above with reference to FIG. 19, it is assumed that the setting of the access right of the document D31 is changed in the situation where the information is reused. Then, when the file storage control unit 110 executes the processing of FIG. 18, the access rights of the documents D32 to D35 are also changed in a chain. Hereinafter, a process of sequentially changing access rights will be described with reference to FIG.

  FIG. 20 is a diagram illustrating a process in which access rights are changed in a chained manner in the third embodiment. FIG. 20 shows the document ID of the document whose access right is changed, the step number in FIG. 18, the state of the unchanged document list, and the state of the changed document list in a table format.

  In step S901 where the processing of FIG. 18 is started, the access right of the document D31 is changed, but the unmodified document list and the changed document list are both empty until the next step S902. In step S903, the document ID “D31” is added to the changed document list, and in step S904, document IDs “D32” and “D34” are added to the unchanged document list.

  In step S905, it is determined that the unmodified document list is not empty. In subsequent steps S906 to S911, p = “D32”. Accordingly, in step S907, the access right of the document D32 is updated based on the access right information associated with the document D32 itself and the document D31.

  Then, in steps S908 and S909, the document ID “D32” is moved from the unchanged document list to the changed document list. Also, the document ID “D33” is acquired in step S910 and added to the unmodified document list in step S911.

  In step S905, it is determined that the unchanged document list is not empty. In subsequent steps S906 to S911, p = “D34”. Therefore, in step S907, the access right of the document D34 is updated based on the access right information of the document D34 itself, the document D31, and the document D35.

  In steps S908 and S909, the document ID “D34” is moved from the unchanged document list to the changed document list. In step S910, the document IDs “D33” and “D35” are acquired, but the document ID “D33” is already included in the unmodified document list. Accordingly, only the document ID “D35” is newly added to the unmodified document list in step S911.

  Even in step S905 executed for the third time, it is determined that the unchanged document list is not empty. In subsequent steps S906 to S911, p = “D33”. Therefore, in step S907, the access right of the document D33 is updated based on the access right information of the document D33 itself, the document D32, and the document D34.

  Then, in steps S908 and S909, the document ID “D33” is moved from the unchanged document list to the changed document list. In step S910, since no document ID is acquired, the unmodified document list does not change in step S911.

  Even in step S905 executed for the fourth time, it is determined that the unchanged document list is not empty. In subsequent steps S906 to S911, p = “D35”. Accordingly, in step S907, the access right of the document D35 is updated based on the access right information of the document D35 itself and the document D34.

  Then, in steps S908 and S909, the document ID “D35” is moved from the unchanged document list to the changed document list. In step S910, the document ID “D34” is acquired, and the document ID “D34” is already included in the changed document list. Therefore, the unmodified document list does not change in step S911.

That is, the process returns to step S905 when the unmodified document list is empty, and the process of FIG.
The access right chain resetting process described with reference to FIGS. 18 to 20 is formalized and summarized as follows.

  As illustrated in (g1) and (g2) with respect to FIG. 15, “data has been reused directly from unprotected document x to protected document y, or indirectly through one or more unprotected documents. The relationship that “the content of the protected document x is reused in the protected document y” is “R”. In other words, the relationship R is the second represented by the combination of the “document ID” column and the “copy source document ID” column in the access right management table 301b of FIG. 15 set by the processing of FIG. 16 or FIG. The inheritance relationship between the two electronic documents defined by the inheritance management information. For example, Expression (4) is established in the example of FIG.

(D31 R D32) ∧ (D32 R D33) ∧
(D31 R D34) ∧ (D34 R D33) ∧
(D34 R D35) ∧ (D35 R D34) (4)
Here, the relationship defined as transitive closure of the relationship R is expressed as “R ⁺ ” and is referred to as “transitive inheritance relationship”. The process of FIG. 18 recognizes one or more electronic documents in which the transitive inheritance relationship R ⁺ is established for the protected document i when the access right of the protected document i is changed, and the recognized one or more electronic documents. This is a process for resetting the access right of each document. In resetting the access right of each electronic document, the change of the access right of the protected document i is reflected directly or indirectly.

For example, Equation (5) is established in the example of FIG.
(D31 R ⁺ D32) ∧ (D31 R ⁺ D33) ∧
(D31 R ⁺ D34) ∧ (D31 R ⁺ D35) (5)
Therefore, as shown in FIG. 20, the four protected documents D32 to D35 in which the transitive inheritance relationship R ⁺ is established for the protected document D31 are recognized, and the respective access rights are reset. Further, the access rights of each of the protected documents D32 to D35 are reset by directly referring to the access right information of the document D31, or indirectly through the access right information of another protected document that has already been reset. Is reset to reflect the change of the access right of the document D31.

  Although the first to third embodiments have been described in detail above, the computer 100 and the access right management server 300 described in the above embodiment may be configured as a computer 500 in FIG. 21, for example. FIG. 21 is a configuration diagram of a computer.

  The computer 500 includes a central processing unit (CPU) 501, a read only memory (ROM) 502, a random access memory (RAM) 503, a communication interface 504, an input device 505, an output device 506, a storage device 507, and a portable storage medium. 510 drive devices 508 are provided. These units included in the computer 500 are connected by a bus 509.

  The computer 500 is connected to the network 511 via the communication interface 504. The network 511 is an arbitrary network such as a LAN (Local Area Network) or the Internet.

The CPU 501 loads various programs into the RAM 503, and executes the various programs while using the RAM 503 as a working area.
Various programs executed by the CPU 501 may be stored in advance in the ROM 502 or the storage device 507, provided from the program provider 512 via the network 511, and stored in the storage device 507. Alternatively, various programs executed by the CPU 501 may be stored in the portable storage medium 510, loaded from the portable storage medium 510 set in the driving device 508 to the RAM 503, and executed by the CPU 501. As the portable storage medium 510, various types of storage media such as an optical disc such as a CD (Compact Disc) and a DVD (Digital Versatile Disk), a magneto-optical disc, a magnetic disc, and a nonvolatile semiconductor memory can be used.

  The input device 505 is a pointing device such as a mouse or a keyboard. The output device 506 is a display device such as a liquid crystal display. The storage device 507 may be a magnetic disk device such as a hard disk device or another type of storage device.

  For example, when the computer 100 of FIGS. 1 and 11 is configured as a computer 500, the shared memory 104 and the inheritance management table 108 are realized by the RAM 503, and the document storage area 101 is realized by the storage device 507. In the second embodiment, a table (not shown) for managing the document index information and the document ID in association with each other is also stored in the storage device 507.

  Further, the programs of the OS 102 and the application 103 are stored in advance in the storage device 507, for example. The CPU 501 loads the programs of the OS 102 and the application 103 into the RAM 503 and executes them.

The access control unit 105 other than the inheritance management table 108 realized by the RAM 503 is realized by the CPU 501 executing the various programs.
That is, by monitoring the application 103 and the OS 102 and executing a program for recognizing the trigger of the processing in FIGS. 6 to 9, 13, 14, 16, and 17, the CPU
Reference numeral 501 functions as the application monitoring unit 106. Further, the CPU 501 functions as the file open control unit 109 by executing a program for processing when opening a document described with reference to FIG.

  And CPU501 functions as the file preservation | save control part 110 by running the program for the process of FIG.6, FIG.9, FIG.13, FIG.14, FIG. Further, the CPU 501 functions as the write control unit 112 by executing a program for the processing in FIG. 7 (or processing similar to that in FIG. 7 in the second embodiment or the third embodiment). Furthermore, the CPU 501 also functions as the pasting control unit 113 by executing a program for the processing in FIG. 8 (or processing similar to that in FIG. 8 in the second and third embodiments).

As described above, the CPU 501 and the RAM 503 realize the access control unit 105.
In the first and third embodiments, the communication interface 504 is also used for communication between each unit of the access control unit 105 and the access right management server 300.

  When the access right management server 300 of FIG. 1 is configured as a computer 500, an access right management table 301 and a table (not shown) for managing document index information and a document ID in association with each other are stored in the storage device 507. Stored in The network 200 in FIG. 1 corresponds to the network 511 in FIG.

In addition, this invention is not restricted to said 1st-3rd embodiment, A various deformation | transformation is possible. Some examples are described below.
In the above, an example in which the access right is defined for each user has been specifically shown. However, the access right is not always set for each user depending on the embodiment. There are various types of access right restrictions, such as restrictions by passwords and restrictions according to the level of the right holder, that is, the level of authority given to each right holder.

  For example, depending on the embodiment, it is possible to restrict access rights for each password, such as “any user who knows a specific password has the right to read document D”. In addition, “a user at level 0 has no access right to the document D, a user at level 1 or higher has a read authority for the document D, and a user at level 2 or higher has a write authority for the document D”. It is also possible to restrict access rights according to authority levels.

  For example, in the embodiment in which the restriction is performed according to the authority level, a column for storing the authority level value is used instead of the “user ID or group ID” column in the access right management table 301 of FIG. May be. Similarly, the configuration of the access right information 401 in FIG. 12 and the access right management table 301b in FIG. 15 also includes criteria for restricting access rights such as “by user”, “by password”, and “by authority level” (ie, It can be changed as appropriate according to the unit for managing the access right. Note that the processing shown in each flowchart is executed by being appropriately modified according to the difference in the configuration of the access right management table and the like.

  Further, as a modification from another viewpoint, the file storage control unit 110 is based on an explicit request (hereinafter referred to as “protection request”) received via the input device 505 in addition to the operation described above. Further, a process of converting an unprotected document into a protected document may be further performed. The protection request includes access right information to be set.

In the case of the first embodiment, the file storage control unit 110 that has received the protection request requests the access right management server 300 to issue a document ID. Then, the access right management server 300 is requested to register the issued document ID and the access right information specified by the protection request in the access right management table 301.

  In the case of the second embodiment, the file storage control unit 110 that has received the protection request requests the control unit 107 to issue a document ID, and accesses the header area of the unprotected document to be converted as specified in the protection request. Stores rights information.

The case of the third embodiment is the same as that of the first embodiment.
Then, the file storage control unit 110 encrypts the unprotected document according to the protection request and converts it into the protected document.

  Further, the inheritance management table 108 in FIG. 4, the access right management table 301 in FIG. 5, the access right information 401 in FIG. 12, and the access right management table 301b in FIG. 15 are expressed in a table format. However, a data format other than the table format may be adopted. For example, the access right information included in FIGS. 5, 12, and 15 may be expressed in a markup language such as XML (Extensible Markup Language).

  Further, an embodiment in which the “application ID that can handle protected documents” column in FIG. 5, FIG. 12, or FIG. 15 is omitted is also possible. That is, the “application ID that can handle protected documents” column is a column for management by application, and is unnecessary in an embodiment in which access control by user is simply performed.

  Further, when the first to third embodiments are applied to a system in which a plurality of users can log in simultaneously via a plurality of terminals, the inheritance management table 108 in FIG. It may further include a “user ID” column.

  Further, the example of FIG. 4 of the first embodiment represents a stage where data is copied and pasted from the protected document DOC5 to the protected document DOC4 and the protected document DOC4 is not yet saved. According to FIG. 4, at this stage, data is further copied and pasted from the protected document DOC4 to the document DOC3. In the first embodiment, in the case shown in FIG. 4, the document IDs “DOC4” and “DOC5” are associated with the document ID “DOC3”.

  However, when data is copied from the protected document DOC4, the first embodiment may be modified so that only the document ID “DOC4” of the direct copy source document is associated with the data in step S204 of FIG. In that case, steps S408 and S409 in FIG. 9 are modified as follows.

  That is, in steps S408 and S409 in the modified example, the file storage control unit 110 refers to the inheritance management table 108 and associates “copy source” with the document ID “DOC3” of the target document in the “open document ID” column. The document ID “DOC4” stored in the “document ID” column is acquired.

  Then, the file storage control unit 110 refers to the inheritance management table 108 again to search for an entry including the acquired document ID “DOC4” in the “open document ID” column. Thereby, the file storage control unit 110 acquires the document ID “DOC5” associated with the document ID “DOC4” and stored in the “copy source document ID” column.

As described above, by referring to the inheritance management table 108 a plurality of times, the file storage control unit 110 not only stores the document DOC4 corresponding to the parent of the document DOC3 but also the document ID “DOC5” of another protected document corresponding to the ancestor of the document DOC3. Can be acquired. In the modification, the file saving control unit 110 generates access right information of the target document by merging the access right information of the ancestor document thus obtained according to the “AND condition”.

  In the first embodiment or the third embodiment, the access control unit 105 may download the access right management table 301 or 301b from the access right management server 300 to the computer 100 and store it in the document storage area 101, for example. Good. The access control unit 105 may set an expiration date in the downloaded access right management table 301 or 301b as necessary.

  Within the validity period, each unit in the access control unit 105 refers to or changes the access right management table 301 or 301b downloaded to the document storage area 101 in the same manner as in the first or third embodiment. As described above, even a local machine (that is, the computer 100) separated from the network 200 can temporarily inherit the access right as long as it is within the expiration date.

  Alternatively, an embodiment in which the access right management table 301 or 301b is constantly stored in the document storage area 101 without setting an expiration date, and the computer 100 independently inherits the access right is also possible.

  In the first to third embodiments, the file storage control unit 110 generates new access right information according to the “AND condition” defined using the expressions (1) to (3) in the inheritance of the access right. is doing. However, equation (6) can be used instead of equation (2), or equation (7) can be used instead of equation (3).

Read (D, U _j , A _k )
= (Read (D ₁ , U _j , A _k ) ∨Write (D ₁ , U _j , A _k )) ∧
......
∧ (Read (D _N , U _j , A _k ) ∨ Write (D _N , U _j , A _k ))
(6)
Read (D, U _j , A _k )
= Read (D, U _j , A _k ) ∧
(Read (D ₁ , U _j , A _k ) ∨Write (D ₁ , U _j , A _k )) ∧
......
∧ (Read (D _N , U _j , A _k ) ∨ Write (D _N , U _j , A _k ))
(7)
5, 12, and 15 exemplify read authority, write authority, and print authority as the authority types. However, depending on the embodiment, various types of authority corresponding to various other operations such as execution, deletion, search, and data copy may be managed. On the other hand, for example, there is no need for a type of authority such as a printing authority. Depending on what kind of authority is managed, the “AND condition” can be modified as appropriate.

  In the above embodiment, the access control unit 105 is implemented as middleware. Therefore, the type of authority in the access right management table 301 or 301b can be determined regardless of the access control specification in the file system provided by the OS 102.

Moreover, you may combine 2nd Embodiment and 3rd Embodiment. That is, in the second embodiment, the “copy source document ID” column in the access right management table 301b in FIG. 15 is added to the access right information 401 in FIG. 12, and the same processing as in FIG. 18 in the third embodiment is performed. Can also be modified.

  In the first to third embodiments, a document stored in the document storage area 101 is an access right inheritance target. However, a document stored in an external storage device such as a file server different from the computer 100 may be the target of access right inheritance.

  For example, as shown in FIG. 10, in the first to third embodiments, the document ID is also stored in the shared memory 104 in association with the copied data. However, the document ID may be stored in an area on the RAM different from the shared memory 104 in which the copied data is stored.

  An embodiment using document index information instead of the document ID is also possible. In this case, the access right management server 300 or the control unit 107 does not need to issue a document ID or manage the relationship between the document index information and the document ID.

  Further, in each of the above embodiments, the access right inheritance when information is reused mainly by the above (b1) and (b3) has been described. However, with regard to (b2) and (b4) to (b6), the application control unit 106 monitors and captures specific processing associated with information reuse so that the access control unit 105 can inherit the access right. can do. The process to be monitored may be a request to the OS 102 such as a system call or a response from the OS 102, for example.

  For example, regarding the reuse of information by the “Save As” menu in (b2), the access right can be inherited by modifying the processing of FIG. 9 as follows. That is, when the currently opened document X is to be saved as another document Y, the application monitoring unit 106 captures the save request as in step 401. Then, similarly to step S <b> 402, the file storage control unit 110 determines whether or not the document X is registered in the “open document ID” column of the inheritance management table 108.

  If the document ID “X” is not registered in the “open document ID” column of the inheritance management table 108, the file storage control unit 110 determines whether or not the document X was originally a protected document, as in step S403. Judgment.

If the document X is an unprotected document, the file storage control unit 110 stores the document Y as an unprotected document in the document storage area 101 as in step S405.
However, if the document X is a protected document, the file storage control unit 110 converts the document Y into a protected format instead of step S404, and requests the access right management server 300 to issue a document ID to the document Y. Then, the file storage control unit 110 requests the access right management server 300 to copy the access right information of the document X and register it in the access right management table 301 in association with the issued document ID “Y”. Further, the file storage control unit 110 stores the document Y in the protected format in the document storage area 101 as in step S405.

  If the document ID “X” is registered in the “open document ID” column of the inheritance management table 108 in step S402, the file storage control unit 110 converts the document Y into a protected format as in step S406. . Further, the file storage control unit 110 requests the access right management server 300 to issue a document ID for the document Y.

Then, the file storage control unit 110 generates access right information for the document Y as follows. That is, the file storage control unit 110 associates the access right information of the protected document and the access right information of the document X that are associated with the document ID “X” and registered in the “copy source document ID” column of the inheritance management table 108. Are merged by “AND condition” or the like.

  The file storage control unit 110 registers the document ID “Y” and the generated access right information in the access right management table 301 in association with each other via the access right management server 300. Unlike FIG. 9, the file storage control unit 110 does not delete information on the inheritance management table 108 associated with the document ID “X”.

  In addition, the first to third embodiments in which the access right is inherited when the document is saved can be modified so that the access right is inherited when the data is pasted. For example, the first embodiment can be modified so that the update of the access right management table 301 and the deletion of the entry from the inheritance management table 108 in step S408 or S409 in FIG. 9 are performed immediately after step S308 in FIG. . The second and third embodiments can be similarly modified.

  In this modification, for example, a step of displaying a dialog for the user may be added between steps S303 and S305 of FIG. The dialog includes, for example, a warning that “access right is inherited when data is pasted” and a question “whether or not to paste”.

  When the user's answer to the question is input from the input device, the pasting control unit 113 continues the process from step S305 onward based on the input answer or stops the process of FIG. By using the dialog, it is possible to prevent a situation in which, for example, a user's pasting operation is unintentionally inherited without the user's knowledge due to an error in the user's paste operation.

Similarly, a step of displaying a dialog may be added between steps S402 and S406 of FIG. 9 of the first embodiment.
In addition, the various embodiments described above can be modified in consideration of an application or menu for browsing the contents of the clipboard. Hereinafter, a case where the first embodiment is modified will be described as an example.

  There are clipboards provided by the OS 102 and those provided in a specific application or a specific application suite. Hereinafter, the former is referred to as “OS clipboard” and the latter is referred to as “application clipboard”. Both can be realized by the shared memory 104.

  The OS clipboard is generally rewritten every time a copy operation or a cut operation is performed, and does not retain a history. However, some application clipboards provide a function of holding a plurality of copied or cut data and pasting any one of the held data according to a user's selection. .

  The contents of the OS clipboard can be browsed using a type of application called “clipboard viewer”. The contents of the application clipboard can be browsed by selecting a specific menu (hereinafter referred to as “clipboard browsing menu”) from within the application, for example.

In the first embodiment, the write control unit 112 encrypts the data copied to the shared memory 104 in step S204 of FIG. Here, assuming that the encryption in step S204 is not performed, the contents of the data are displayed on the clipboard viewer or the clipboard browsing menu screen. Therefore, for example, when an operation of taking a screen shot of the clipboard viewer screen and pasting it on an unprotected document is performed, information to be protected is leaked.

  However, according to the first embodiment as described above, the data is actually encrypted in step S204. Therefore, there is no risk of information leakage via the clipboard viewer or the clipboard browsing menu.

  However, from the viewpoint of convenience, since the data is encrypted, the contents of the OS clipboard and the application clipboard cannot be viewed by the user, which may be inconvenient. Therefore, the first embodiment may be modified as follows in consideration of the existence of the clipboard viewer and the clipboard browsing menu.

  When a data copy request is issued as in step S201 of FIG. 7, the write control unit 112 executes the process of FIG. In the present modification, the writing control unit 112 further executes the following processing regarding the clipboard viewer after executing step S204 or step S206.

  That is, the writing control unit 112 accesses the data on the shared memory 104 by the user who has started the clipboard viewer based on the document ID associated with the data on the shared memory 104 in a method similar to step S303 in FIG. Determine if you have the right. It is assumed that the access right information including the application ID of the clipboard viewer is appropriately set in the access right management table 301 in FIG.

  When the user who has activated the clipboard viewer has the right to access the data copied on the shared memory 104, the write control unit 112 decrypts the data copied on the shared memory 104 and causes the clipboard viewer to read the data. Thereby, the prevention of information leakage and the convenience of the clipboard viewer are compatible.

  Next, the operation of this modification in the case where the application suite including the application 103 provides an application clipboard and a clipboard browsing menu for holding a history will be described. Here, it is assumed that there are M pieces of data on the shared memory 104 that realizes the application clipboard (M ≧ 1). The M pieces of data may include both those that are not protected and those that are protected and associated with the document ID.

  When a data copy request is issued, the write control unit 112, for each of the M pieces of data copied onto the shared memory 104, the user who has started the application 103 in the same manner as described above has an access right to the data. Determine whether or not.

  If there is an access right, the write control unit 112 decrypts the data and causes the application 103 to read the decrypted data instead of the data on the shared memory 104 as data to be displayed on the clipboard browsing menu. On the other hand, when there is no access right, the write control unit 112 causes the application 103 to read the encrypted data or dummy data as data to be displayed on the clipboard browsing menu.

  As a result, in the clipboard browsing menu, only data with access rights is displayed in a decrypted state. Thereby, prevention of information leakage and convenience of the clipboard browsing menu are compatible.

Finally, the following additional notes are disclosed.
(Appendix 1)
The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. A capture step that monitors and captures one or more processes that occur when utilized;
A setting step of setting a second access right based on the first access right in the second electronic document by updating the access right information when the one or more processes are captured in the capturing step; ,
A storage step of encrypting and storing the second electronic document;
An access control program for causing a computer to execute.
(Appendix 2)
The one or more processes include a first process associated with writing of first data representing the contents in the first electronic document to a shared memory, and a second process representing the contents and stored in the shared memory. And a second process associated with writing the data to the second electronic document,
A write step of generating the second data by encrypting the first data and writing to the shared memory when the first process is captured;
When the second process is captured, a pasting step of decrypting the second data and pasting it on the second electronic document;
The access control program according to appendix 1, wherein the computer is further executed.
(Appendix 3)
The writing step includes a data association step of associating identification information for identifying the first electronic document with the second data;
The pasting step generates first inheritance management information for associating the first electronic document with the second electronic document based on the identification information associated with the second data. Including steps,
The setting step recognizes that the first electronic document is associated with the second electronic document by referring to the first inheritance management information, and Recognizing the first access right to be included,
The access control program according to Supplementary Note 2, wherein
(Appendix 4)
The one or more processes further include a third process associated with storing the second electronic document in which the second data is written,
The setting step is executed when the third process is captured in the capturing step.
The access control program according to Supplementary Note 2, wherein
(Appendix 5)
The access control program according to appendix 2, wherein the setting step is executed when the second process is captured in the capturing step.
(Appendix 6)
If the original second access right has already been set for the second electronic document before the setting step,
In the setting step, based on both the first access right and the original second access right, the setting is restricted to the first access right or more and restricted to the original second access right or more. The second access right is set,
The access control program according to supplementary note 1, wherein
(Appendix 7)
A plurality of the first electronic documents;
When the content represented by each of the plurality of first electronic documents is reused in the second electronic document, the setting step is based on the first access right of each of the plurality of first electronic documents. The second access right is set for the second electronic document,
The second access right is the same as or more restricted than any of the first access rights of each of the plurality of first electronic documents.
The access control program according to supplementary note 1, wherein
(Appendix 8)
A second inheritance management step of generating and storing second inheritance management information for associating the first electronic document with the second electronic document when the content is reused in the second electronic document; ,
When the first access right is changed, by referring to the second inheritance management information, it is defined as a transitive closure of the inheritance relationship between the two electronic documents specified by the second inheritance management information A transitional inheritance relationship established for the first electronic document, the one or more electronic documents including the second electronic document are recognized, and the access rights of each of the recognized electronic documents Re-setting step by directly or indirectly reflecting the change of the first access right,
The access control program according to appendix 1, which is further executed by the computer.
(Appendix 9)
The access control program according to appendix 1, wherein the one or more processes include a fourth process associated with copying the first electronic document and storing it as the second electronic document.
(Appendix 10)
The access control program according to appendix 9, wherein, in the setting step, the second access right is set to be the same as the first access right.
(Appendix 11)
The access control program according to appendix 1, wherein the access right information is centrally managed separately from the first and second electronic documents.
(Appendix 12)
The access right information is centrally managed by a server connected to the computer via a network,
The computer refers to and changes the access right information via the server.
The access control program according to appendix 11, which is characterized by the above.
(Appendix 13)
The access right information is distributed,
Portions of the access right information respectively representing the first access right and the second access right are individually added to the first document and the second document,
The access control program according to supplementary note 1, wherein
(Appendix 14)
The access control program according to appendix 1, wherein the access right information represents an access right for each application.
(Appendix 15)
Computer
The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. Monitor and capture one or more processes that occur when used,
If the one or more processes are captured, a second access right based on the first access right is set in the second electronic document by updating the access right information;
Encrypting and storing the second electronic document;
An access control method characterized by the above.
(Appendix 16)
The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. Capture means for monitoring and capturing one or more processes performed when utilized;
Setting means for setting a second access right based on the first access right to the second electronic document by updating the access right information when the capturing means captures the one or more processes; ,
Storage control means for encrypting and storing the second electronic document;
An access control device comprising:

100 Computer 101 Document Storage Area 102 OS
DESCRIPTION OF SYMBOLS 103 Application 104 Shared memory 105 Access control part 106 Application monitoring part 107 Control part 108, 108a-108f Inheritance management table 109 File open control part 110 File storage control part 111 Shared memory control part 112 Write control part 113 Paste control part 200 Network 300 Access Right Management Server 301, 301b Access Right Management Table 401 Access Right Information 500 Computer 501 CPU
502 ROM
503 RAM
504 Communication interface 505 Input device 506 Output device 507 Storage device 508 Drive device 509 Bus 510 Portable storage medium 511 Network 512 Program provider D1 to D35 Document X Object A to C Data I1 to I3 Document ID

Claims (7)

The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. A capture step that monitors and captures one or more processes that occur when utilized;
A setting step of setting a second access right based on the first access right in the second electronic document by updating the access right information when the one or more processes are captured in the capturing step; ,
A storage step of encrypting and storing the second electronic document;
An access control program for causing a computer to execute. The one or more processes include a first process associated with writing of first data representing the contents in the first electronic document to a shared memory, and a second process representing the contents and stored in the shared memory. And a second process associated with writing the data to the second electronic document,
A write step of generating the second data by encrypting the first data and writing to the shared memory when the first process is captured;
When the second process is captured, a pasting step of decrypting the second data and pasting it on the second electronic document;
The access control program according to claim 1, further causing the computer to execute. The writing step includes a data association step of associating identification information for identifying the first electronic document with the second data;
The pasting step generates first inheritance management information for associating the first electronic document with the second electronic document based on the identification information associated with the second data. Including steps,
The setting step recognizes that the first electronic document is associated with the second electronic document by referring to the first inheritance management information, and Recognizing the first access right to be included,
The access control program according to claim 2, wherein: The one or more processes further include a third process associated with storing the second electronic document in which the second data is written,
The setting step is executed when the third process is captured in the capturing step.
The access control program according to claim 2, wherein: A second inheritance management step of generating and storing second inheritance management information for associating the first electronic document with the second electronic document when the content is reused in the second electronic document; ,
When the first access right is changed, by referring to the second inheritance management information, it is defined as a transitive closure of the inheritance relationship between the two electronic documents specified by the second inheritance management information A transitional inheritance relationship established for the first electronic document, the one or more electronic documents including the second electronic document are recognized, and the access rights of each of the recognized electronic documents Re-setting step by directly or indirectly reflecting the change of the first access right,
The access control program according to claim 1, further causing the computer to execute the program. Computer
The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. Monitor and capture one or more processes that occur when used,
If the one or more processes are captured, a second access right based on the first access right is set in the second electronic document by updating the access right information;
Encrypting and storing the second electronic document;
An access control method characterized by the above. The content included in the encrypted first electronic document in which the first access right is set by the access right information indicating the access right to the plurality of encrypted electronic documents is reproduced in the second electronic document. Capture means for monitoring and capturing one or more processes performed when utilized;
Setting means for setting a second access right based on the first access right to the second electronic document by updating the access right information when the capturing means captures the one or more processes; ,
Storage control means for encrypting and storing the second electronic document;
An access control device comprising: